diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2019-04-30 04:41:33 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-04-30 04:41:33 -0700 |
| commit | 744acb857e4b625e2040f8120c87f69b042461b5 (patch) | |
| tree | 3cb69470319b3e3765e17ebc464b96e6fa520772 | |
| parent | f12b2d3f77a5c7852924a14d0214dd380676e825 (diff) | |
| parent | 641f454cb5de2139c8d1c6d2e02a4292f9be8d20 (diff) | |
Merge "dsp: afe: check for payload size before payload access"
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6afe.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c index 752b662da4ea..4e1965302ba1 100644 --- a/sound/soc/msm/qdsp6v2/q6afe.c +++ b/sound/soc/msm/qdsp6v2/q6afe.c @@ -554,6 +554,7 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) { uint32_t *payload = data->payload; uint32_t param_id; + uint32_t param_id_pos = 0; if (!payload || (data->token >= AFE_MAX_PORTS)) { pr_err("%s: Error: size %d payload %pK token %d\n", @@ -562,17 +563,26 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) return -EINVAL; } - param_id = (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) ? - payload[3] : - payload[2]; + if (rtac_make_afe_callback(data->payload, + data->payload_size)) + return 0; + + if (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) + param_id_pos = 4; + else + param_id_pos = 3; + + if (data->payload_size >= param_id_pos * sizeof(uint32_t)) + param_id = payload[param_id_pos - 1]; + else { + pr_err("%s: Error: size %d is less than expected\n", + __func__, data->payload_size); + return -EINVAL; + } if (param_id == AFE_PARAM_ID_DEV_TIMING_STATS) { av_dev_drift_afe_cb_handler(data->opcode, data->payload, data->payload_size); } else { - if (rtac_make_afe_callback(data->payload, - data->payload_size)) - return 0; - if (sp_make_afe_callback(data->opcode, data->payload, data->payload_size)) return -EINVAL; @@ -595,6 +605,11 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) uint16_t port_id = 0; payload = data->payload; if (data->opcode == APR_BASIC_RSP_RESULT) { + if (data->payload_size < (2 * sizeof(uint32_t))) { + pr_err("%s: Error: size %d is less than expected\n", + __func__, data->payload_size); + return -EINVAL; + } pr_debug("%s:opcode = 0x%x cmd = 0x%x status = 0x%x token=%d\n", __func__, data->opcode, payload[0], payload[1], data->token); |