]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e3a23c3)
sctp: prefer struct_size over open coded arithmetic
authorErick Archer <erick.archer@outlook.com>
Sat, 27 Apr 2024 17:23:36 +0000 (19:23 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 18 Jul 2024 09:40:48 +0000 (11:40 +0200)
[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ]

This is an effort to get rid of all multiplications from allocation
functions in order to prevent integer overflows [1][2].

As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
structure ends in a flexible array:

struct sctp_assoc_ids {
[...]
sctp_assoc_t gaids_assoc_id[];
};

the preferred way in the kernel is to use the struct_size() helper to
do the arithmetic instead of the calculation "size + size * count" in
the kmalloc() function.

Also, refactor the code adding the "ids_size" variable to avoid sizing
twice.

This way, the code is more readable and safer.

This code was detected with the help of Coccinelle, and audited and
modified manually.

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Erick Archer <erick.archer@outlook.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/sctp/socket.c patch | blob | blame | history

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index cbcbc92748ba9aa40df8676e315962cf3ade2c37..c188a0acfa5949abc52cac796f8979bc35210a40 100644 (file)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7158,6 +7158,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
        struct sctp_sock *sp = sctp_sk(sk);
        struct sctp_association *asoc;
        struct sctp_assoc_ids *ids;
+       size_t ids_size;
        u32 num = 0;
 
        if (sctp_style(sk, TCP))
@@ -7170,11 +7171,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
                num++;
        }
 
-       if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
+       ids_size = struct_size(ids, gaids_assoc_id, num);
+       if (len < ids_size)
                return -EINVAL;
 
-       len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
-
+       len = ids_size;
        ids = kmalloc(len, GFP_USER | __GFP_NOWARN);
        if (unlikely(!ids))
                return -ENOMEM;
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git