brcmfmac: use kcalloc() to prevent integer overflow
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 26 Sep 2012 07:21:48 +0000 (10:21 +0300)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 28 Sep 2012 17:54:06 +0000 (13:54 -0400)
The multiplication here looks like it could overflow.  I've changed it
to use kcalloc() to prevent that.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c

index e40cfe846a48903c976bebda15b8aea990f4ffd7..24e8f8d708ade73e5d6ca25875cf388e925ba362 100644 (file)
@@ -3297,8 +3297,8 @@ brcmf_notify_sched_scan_results(struct brcmf_cfg80211_priv *cfg_priv,
                int i;
 
                request = kzalloc(sizeof(*request), GFP_KERNEL);
-               ssid = kzalloc(sizeof(*ssid) * result_count, GFP_KERNEL);
-               channel = kzalloc(sizeof(*channel) * result_count, GFP_KERNEL);
+               ssid = kcalloc(result_count, sizeof(*ssid), GFP_KERNEL);
+               channel = kcalloc(result_count, sizeof(*channel), GFP_KERNEL);
                if (!request || !ssid || !channel) {
                        err = -ENOMEM;
                        goto out_err;