usb: atm: Use size_add() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.
Fixes: b626871a7c
("usb: atm: Use struct_size() helper")
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/ZQSuboEIhvATAdxN@work
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
8fddc4b660
commit
b7fa76e03b
|
@ -1018,7 +1018,8 @@ int usbatm_usb_probe(struct usb_interface *intf, const struct usb_device_id *id,
|
|||
size_t size;
|
||||
|
||||
/* instance init */
|
||||
size = struct_size(instance, urbs, num_rcv_urbs + num_snd_urbs);
|
||||
size = struct_size(instance, urbs,
|
||||
size_add(num_rcv_urbs, num_snd_urbs));
|
||||
instance = kzalloc(size, GFP_KERNEL);
|
||||
if (!instance)
|
||||
return -ENOMEM;
|
||||
|
|
Loading…
Reference in New Issue