@@ -702,7 +702,7 @@ static int p54_convert_output_limits(struct ieee80211_hw *dev,
static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src,
size_t total_len)
{
- struct p54_cal_database *dst;
+ struct p54_cal_database *dst = NULL;
size_t payload_len, entries, entry_size, offset;
payload_len = le16_to_cpu(src->len);
@@ -713,16 +713,12 @@ static struct p54_cal_database *p54_convert_db(struct pda_custom_wrapper *src,
(payload_len + sizeof(*src) != total_len))
return NULL;
- dst = kmalloc(sizeof(*dst) + payload_len, GFP_KERNEL);
- if (!dst)
+ if (mem_to_flex_dup(&dst, src->data, payload_len, GFP_KERNEL))
return NULL;
dst->entries = entries;
dst->entry_size = entry_size;
dst->offset = offset;
- dst->len = payload_len;
-
- memcpy(dst->data, src->data, payload_len);
return dst;
}
@@ -125,8 +125,8 @@ struct p54_cal_database {
size_t entries;
size_t entry_size;
size_t offset;
- size_t len;
- u8 data[];
+ DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, len);
+ DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
};
#define EEPROM_READBACK_LEN 0x3fc
As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Christian Lamparter <chunkeey@googlemail.com> Cc: Kalle Valo <kvalo@kernel.org> Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/net/wireless/intersil/p54/eeprom.c | 8 ++------ drivers/net/wireless/intersil/p54/p54.h | 4 ++-- 2 files changed, 4 insertions(+), 8 deletions(-)