net: spider_net: Use size_add() in call to struct_size()

If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.

Fixes: 3f1071ec39f7 ("net: spider_net: Use struct_size() helper")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c
index 50d7eacfec5827a141b6a46be9d12b9b34359e64..87e67121477cb57eaaefa7588203a75025fd701c 100644 (file)
--- a/drivers/net/ethernet/toshiba/spider_net.c
+++ b/drivers/net/ethernet/toshiba/spider_net.c
@@ -2332,7 +2332,7 @@ spider_net_alloc_card(void)
        struct spider_net_card *card;
 
        netdev = alloc_etherdev(struct_size(card, darray,
-                                           tx_descriptors + rx_descriptors));
+                                           size_add(tx_descriptors, rx_descriptors)));
        if (!netdev)
                return NULL;