usb: atm: Use size_add() in call to struct_size()

If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.

Fixes: b626871a7cda ("usb: atm: Use struct_size() helper")
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/ZQSuboEIhvATAdxN@work
Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
index 1cdb8758ae01b1c83d47023e67569bdc0096f50f..2da6615fbb6f4ea6f1661d8354b27a26393dba1f 100644 (file)
--- a/drivers/usb/atm/usbatm.c
+++ b/drivers/usb/atm/usbatm.c
@@ -1018,7 +1018,8 @@ int usbatm_usb_probe(struct usb_interface *intf, const struct usb_device_id *id,
        size_t size;
 
        /* instance init */
-       size = struct_size(instance, urbs, num_rcv_urbs + num_snd_urbs);
+       size = struct_size(instance, urbs,
+                          size_add(num_rcv_urbs, num_snd_urbs));
        instance = kzalloc(size, GFP_KERNEL);
        if (!instance)
                return -ENOMEM;