wifi: nl80211: convert cfg80211_scan_request allocation to *_size macros

The cfg80211_scan_request structure is followed by a flexible array member
as well as several other arrays that are then stored into pointers in the
structure. These are allocated currently using a simple sequence of
multiplications.

Replace the calculations with struct_size(), size_add(), and array_size()
helper macros. These macros saturate the calculation at SIZE_MAX rather
than overflowing.

Note that we can't use flex_array_size() instead of array_size() because
the fields are not arrays, but simple pointers.

Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://lore.kernel.org/r/20230228162827.3876606-3-jacob.e.keller@intel.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Jacob Keller 2023-02-28 08:28:27 -08:00 committed by Johannes Berg
parent 6933486133
commit 14e05beb10

View File

@ -9027,7 +9027,7 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
struct nlattr *attr; struct nlattr *attr;
struct wiphy *wiphy; struct wiphy *wiphy;
int err, tmp, n_ssids = 0, n_channels, i; int err, tmp, n_ssids = 0, n_channels, i;
size_t ie_len; size_t ie_len, size;
wiphy = &rdev->wiphy; wiphy = &rdev->wiphy;
@ -9072,10 +9072,10 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
if (ie_len > wiphy->max_scan_ie_len) if (ie_len > wiphy->max_scan_ie_len)
return -EINVAL; return -EINVAL;
request = kzalloc(sizeof(*request) size = struct_size(request, channels, n_channels);
+ sizeof(*request->ssids) * n_ssids size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
+ sizeof(*request->channels) * n_channels size = size_add(size, ie_len);
+ ie_len, GFP_KERNEL); request = kzalloc(size, GFP_KERNEL);
if (!request) if (!request)
return -ENOMEM; return -ENOMEM;
@ -9408,7 +9408,7 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
struct nlattr *attr; struct nlattr *attr;
int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0; int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
enum nl80211_band band; enum nl80211_band band;
size_t ie_len; size_t ie_len, size;
struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1]; struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF; s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
@ -9517,12 +9517,14 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST])) attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
request = kzalloc(sizeof(*request) size = struct_size(request, channels, n_channels);
+ sizeof(*request->ssids) * n_ssids size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
+ sizeof(*request->match_sets) * n_match_sets size = size_add(size, array_size(sizeof(*request->match_sets),
+ sizeof(*request->scan_plans) * n_plans n_match_sets));
+ sizeof(*request->channels) * n_channels size = size_add(size, array_size(sizeof(*request->scan_plans),
+ ie_len, GFP_KERNEL); n_plans));
size = size_add(size, ie_len);
request = kzalloc(size, GFP_KERNEL);
if (!request) if (!request)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);