| Message ID | 20230117104508.GB12547@altlinux.org |
|---|---|
| State | New |
| Headers | show |
| Series | wifi: brcmfmac: Fix allocation size | expand |
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c index 36af81975855c525..0d283456da331464 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c @@ -1711,7 +1711,7 @@ void brcmf_fws_rxreorder(struct brcmf_if *ifp, struct sk_buff *pkt) buf_size = sizeof(*rfi); max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET]; - buf_size += (max_idx + 1) * sizeof(pkt); + buf_size += (max_idx + 1) * sizeof(struct sk_buff); /* allocate space for flow reorder info */ brcmf_dbg(INFO, "flow-%d: start, maxidx %d\n",
The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8 bytes, while the structure itself is much bigger. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code") Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>