1. Patchew
  2. linux
  3. View series

[PATCH] staging: rtl8723bs: Use array_size() in rtw_spt_band_alloc

Joshua David Crofts posted 1 patch 2 months, 1 week ago 
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] staging: rtl8723bs: Use array_size() in rtw_spt_band_alloc
Posted by Joshua David Crofts 2 months, 1 week ago 
Replaced raw multiplication with array_size() macro to prevent
integer overflows. Found using Coccinelle.

Signed-off-by: Joshua David Crofts <joshua.crofts1@gmail.com>
---
 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
index 098456e97..7f0ca5a5e 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -128,7 +128,8 @@ static struct ieee80211_supported_band *rtw_spt_band_alloc(
 		goto exit;
 
 	spt_band->channels = (struct ieee80211_channel *)(((u8 *)spt_band) + sizeof(struct ieee80211_supported_band));
-	spt_band->bitrates = (struct ieee80211_rate *)(((u8 *)spt_band->channels) + sizeof(struct ieee80211_channel) * n_channels);
+	spt_band->bitrates = (struct ieee80211_rate *)(((u8 *)spt_band->channels) +
+			     array_size(n_channels, sizeof(struct ieee80211_channel)));
 	spt_band->band = band;
 	spt_band->n_channels = n_channels;
 	spt_band->n_bitrates = n_bitrates;
-- 
2.47.3
Re: [PATCH] staging: rtl8723bs: Use array_size() in rtw_spt_band_alloc
Posted by Greg KH 2 months, 1 week ago 
On Wed, Apr 01, 2026 at 07:39:17PM +0200, Joshua David Crofts wrote:
> Replaced raw multiplication with array_size() macro to prevent
> integer overflows. Found using Coccinelle.
> 
> Signed-off-by: Joshua David Crofts <joshua.crofts1@gmail.com>
> ---
>  drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> index 098456e97..7f0ca5a5e 100644
> --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> @@ -128,7 +128,8 @@ static struct ieee80211_supported_band *rtw_spt_band_alloc(
>  		goto exit;
>  
>  	spt_band->channels = (struct ieee80211_channel *)(((u8 *)spt_band) + sizeof(struct ieee80211_supported_band));
> -	spt_band->bitrates = (struct ieee80211_rate *)(((u8 *)spt_band->channels) + sizeof(struct ieee80211_channel) * n_channels);
> +	spt_band->bitrates = (struct ieee80211_rate *)(((u8 *)spt_band->channels) +
> +			     array_size(n_channels, sizeof(struct ieee80211_channel)));

Can this ever overflow?  Who controls n_channels, and why isn't it
bounds check before this?  Also, this is just getting a pointer to a
structure, it's not overflowing a size of an allocation.

thanks,

greg k-h
Re: [PATCH] staging: rtl8723bs: Use array_size() in rtw_spt_band_alloc
Posted by Joshua Crofts 2 months, 1 week ago 
On Wed, 1 Apr 2026 at 20:15, Greg KH <gregkh@linuxfoundation.org> wrote:
>
> Can this ever overflow?  Who controls n_channels, and why isn't it
> bounds check before this?  Also, this is just getting a pointer to a
> structure, it's not overflowing a size of an allocation.

Hi Greg,

You're right, this is pointer arithmetic, not an alloc. I was investigating a
Coccinelle warning and hadn't fully considered the context. This is my
first kernel patch after all.

Please drop this patch and thanks for your time reviewing it.

Kind regards

CJD

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.