usb: atm: Use size_add() in call to struct_size()

If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: b626871a ("usb: atm: Use struct_size() helper") Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/ZQSuboEIhvATAdxN@workSigned-off-by: Kees Cook <keescook@chromium.org>

usb: atm: Use size_add() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: b626871a ("usb: atm: Use struct_size() helper") Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/ZQSuboEIhvATAdxN@workSigned-off-by: Kees Cook <keescook@chromium.org>
b7fa76e0 · Gustavo A. R. Silva · Kees Cook · 8fddc4b6 · b7fa76e0
Commit b7fa76e0 authored Sep 15, 2023 by Gustavo A. R. Silva Committed by Kees Cook Oct 02, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/usb/atm/usbatm.c drivers/usb/atm/usbatm.c +2 -1

No files found.
--- a/drivers/usb/atm/usbatm.c
+++ b/drivers/usb/atm/usbatm.c
@@ -1018,7 +1018,8 @@ int usbatm_usb_probe(struct usb_interface *intf, const struct usb_device_id *id,
 	size_t size;

 	/* instance init */
-	size = struct_size(instance, urbs, num_rcv_urbs + num_snd_urbs);
+	size = struct_size(instance, urbs,
+			   size_add(num_rcv_urbs, num_snd_urbs));
 	instance = kzalloc(size, GFP_KERNEL);
 	if (!instance)
 		return -ENOMEM;