As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying.
Avoids future false-positive warning when strict run-time memcpy() bounds checking is enabled: memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4) Adds an additional size check since the minimum isn't 0. Reported-by: Andy Lavr <[email protected]> Cc: Luca Coelho <[email protected]> Cc: Kalle Valo <[email protected]> Cc: "David S. Miller" <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: Gregory Greenman <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: [email protected] Cc: [email protected] Signed-off-by: Kees Cook <[email protected]> --- drivers/net/wireless/intel/iwlwifi/dvm/calib.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c index ae1f0cf560e2..7480c19d7af0 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/calib.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/calib.c @@ -18,8 +18,11 @@ /* Opaque calibration results */ struct iwl_calib_result { struct list_head list; - size_t cmd_len; - struct iwl_calib_cmd cmd; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, cmd_len); + union { + struct iwl_calib_cmd cmd; + DECLARE_FLEX_ARRAY_ELEMENTS(u8, data); + }; /* data follows */ }; @@ -59,14 +62,10 @@ int iwl_send_calib_results(struct iwl_priv *priv) int iwl_calib_set(struct iwl_priv *priv, const struct iwl_calib_cmd *cmd, int len) { - struct iwl_calib_result *res, *tmp; + struct iwl_calib_result *res = NULL, *tmp; - res = kmalloc(sizeof(*res) + len - sizeof(struct iwl_calib_hdr), - GFP_ATOMIC); - if (!res) + if (len < sizeof(*cmd) || mem_to_flex_dup(&res, cmd, len, GFP_ATOMIC)) return -ENOMEM; - memcpy(&res->hdr, cmd, len); - res->cmd_len = len; list_for_each_entry(tmp, &priv->calib_results, list) { if (tmp->cmd.hdr.op_code == res->cmd.hdr.op_code) { -- 2.32.0
