diff mbox series

[2/2,next] wifi: brcmfmac: Use struct_size() in code ralated to struct brcmf_dload_data_le

Message ID 41845ad3660ed4375f0c03fd36a67b2e12fafed5.1668548907.git.gustavoars@kernel.org
State New
Headers show
Series wifi: brcmfmac: common: Replace one-element array with flexible-array member | expand

Commit Message

Gustavo A. R. Silva Nov. 15, 2022, 9:55 p.m. UTC
Prefer struct_size() over open-coded versions of idiom:

sizeof(struct-with-flex-array) + sizeof(typeof-flex-array-elements) * count

where count is the max number of items the flexible array is supposed to
contain.

In this particular case, in the open-coded version sizeof(typeof-flex-array-elements)
is implicit in _count_ because the type of the flex array data is u8:

drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h:941:
 941 struct brcmf_dload_data_le {
 942         __le16 flag;
 943         __le16 dload_type;
 944         __le32 len;
 945         __le32 crc;
 946         u8 data[];
 947 };

Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Kees Cook Nov. 16, 2022, 10:23 p.m. UTC | #1
On Tue, Nov 15, 2022 at 03:55:34PM -0600, Gustavo A. R. Silva wrote:
> Prefer struct_size() over open-coded versions of idiom:
> 
> sizeof(struct-with-flex-array) + sizeof(typeof-flex-array-elements) * count
> 
> where count is the max number of items the flexible array is supposed to
> contain.
> 
> In this particular case, in the open-coded version sizeof(typeof-flex-array-elements)
> is implicit in _count_ because the type of the flex array data is u8:
> 
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h:941:
>  941 struct brcmf_dload_data_le {
>  942         __le16 flag;
>  943         __le16 dload_type;
>  944         __le32 len;
>  945         __le32 crc;
>  946         u8 data[];
>  947 };
> 
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Reviewed-by: Kees Cook <keescook@chromium.org>
Gustavo A. R. Silva Nov. 17, 2022, 1:06 a.m. UTC | #2
On 11/16/22 16:23, Kees Cook wrote:
> On Tue, Nov 15, 2022 at 03:55:34PM -0600, Gustavo A. R. Silva wrote:
>> Prefer struct_size() over open-coded versions of idiom:
>>
>> sizeof(struct-with-flex-array) + sizeof(typeof-flex-array-elements) * count
>>
>> where count is the max number of items the flexible array is supposed to
>> contain.
>>
>> In this particular case, in the open-coded version sizeof(typeof-flex-array-elements)
>> is implicit in _count_ because the type of the flex array data is u8:
>>
>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h:941:
>>   941 struct brcmf_dload_data_le {
>>   942         __le16 flag;
>>   943         __le16 dload_type;
>>   944         __le32 len;
>>   945         __le32 crc;
>>   946         u8 data[];
>>   947 };
>>
>> Link: https://github.com/KSPP/linux/issues/160
>> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> 
> Reviewed-by: Kees Cook <keescook@chromium.org>
> 

Thanks for the reviews! :)

--
Gustavo
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
index 2e836566e218..4a309e5a5707 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
@@ -110,9 +110,9 @@  static int brcmf_c_download(struct brcmf_if *ifp, u16 flag,
 	dload_buf->dload_type = cpu_to_le16(DL_TYPE_CLM);
 	dload_buf->len = cpu_to_le32(len);
 	dload_buf->crc = cpu_to_le32(0);
-	len = sizeof(*dload_buf) + len;
 
-	err = brcmf_fil_iovar_data_set(ifp, "clmload", dload_buf, len);
+	err = brcmf_fil_iovar_data_set(ifp, "clmload", dload_buf,
+				       struct_size(dload_buf, data, len));
 
 	return err;
 }
@@ -139,7 +139,8 @@  static int brcmf_c_process_clm_blob(struct brcmf_if *ifp)
 		return 0;
 	}
 
-	chunk_buf = kzalloc(sizeof(*chunk_buf) + MAX_CHUNK_LEN, GFP_KERNEL);
+	chunk_buf = kzalloc(struct_size(chunk_buf, data, MAX_CHUNK_LEN),
+			    GFP_KERNEL);
 	if (!chunk_buf) {
 		err = -ENOMEM;
 		goto done;