As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying.
Cc: "David S. Miller" <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: Baowen Zheng <[email protected]> Cc: Eli Cohen <[email protected]> Cc: Louis Peens <[email protected]> Cc: Simon Horman <[email protected]> Cc: [email protected] Signed-off-by: Kees Cook <[email protected]> --- include/net/flow_offload.h | 4 ++-- net/core/flow_offload.c | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h index 021778a7e1af..ca5db457a0bc 100644 --- a/include/net/flow_offload.h +++ b/include/net/flow_offload.h @@ -190,8 +190,8 @@ enum flow_action_hw_stats { typedef void (*action_destr)(void *priv); struct flow_action_cookie { - u32 cookie_len; - u8 cookie[]; + DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, cookie_len); + DECLARE_FLEX_ARRAY_ELEMENTS(u8, cookie); }; struct flow_action_cookie *flow_action_cookie_create(void *data, diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c index 73f68d4625f3..e23c8d05b828 100644 --- a/net/core/flow_offload.c +++ b/net/core/flow_offload.c @@ -199,13 +199,10 @@ struct flow_action_cookie *flow_action_cookie_create(void *data, unsigned int len, gfp_t gfp) { - struct flow_action_cookie *cookie; + struct flow_action_cookie *cookie = NULL; - cookie = kmalloc(sizeof(*cookie) + len, gfp); - if (!cookie) + if (mem_to_flex_dup(&cookie, data, len, gfp)) return NULL; - cookie->cookie_len = len; - memcpy(cookie->cookie, data, len); return cookie; } EXPORT_SYMBOL(flow_action_cookie_create); -- 2.32.0
