The pattern malloc(size + constant) is dangerous when size can be
manipulated by an attacker. In that case 'size' can be manipulated
in a way that 'size + constant' is 0 due to integer overflow. The
result is a zero sized buffer to which is then data written to.
Avoid this by using struct_size() instead.
Reported-by: Jonathan Bar Or <jonathanba...@gmail.com>
Signed-off-by: Sascha Hauer <s.ha...@pengutronix.de>
---
fs/pstore/fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/pstore/fs.c b/fs/pstore/fs.c
index 24b0fa5c9d..706c2d4684 100644
--- a/fs/pstore/fs.c
+++ b/fs/pstore/fs.c
@@ -62,7 +62,7 @@ int pstore_mkfile(struct pstore_record *record)
return -EEXIST;
}
- private = xzalloc(sizeof(*private) + size);
+ private = xzalloc(struct_size(private, data, size));
private->type = record->type;
private->id = record->id;
private->count = record->count;
--
2.39.5
