mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

usb: atm: Use size_add() in call to struct_size() 

If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.

Fixes: b626871a7c ("usb: atm: Use struct_size() helper")
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/ZQSuboEIhvATAdxN@work
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Gustavo A. R. Silva 2023-09-15 13:20:14 -06:00 committed by Kees Cook
parent 8fddc4b660
commit b7fa76e03b
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/usb/atm/usbatm.c
View File

@ -1018,7 +1018,8 @@ int usbatm_usb_probe(struct usb_interface *intf, const struct usb_device_id *id,
size_t size;
/* instance init */
size = struct_size(instance, urbs, num_rcv_urbs + num_snd_urbs);
size = struct_size(instance, urbs,
size_add(num_rcv_urbs, num_snd_urbs));
instance = kzalloc(size, GFP_KERNEL);
if (!instance)
return -ENOMEM;