diff options
| author | Karthikeyan Mani <kmani@codeaurora.org> | 2019-03-12 23:03:18 -0700 |
|---|---|---|
| committer | Karthikeyan Mani <kmani@codeaurora.org> | 2019-04-29 10:52:29 -0700 |
| commit | 641f454cb5de2139c8d1c6d2e02a4292f9be8d20 (patch) | |
| tree | b6ed983f71e8534d6a0c5242d82bb89bd1f81118 | |
| parent | d9f2f007f3f01cd23e660119c338a9d184d42536 (diff) | |
dsp: afe: check for payload size before payload access
Check if payload data is big enough before accessing
the data in it.
Change-Id: I939f205a8cebf6ef4859f81fae5429bca013d540
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6afe.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c index 752b662da4ea..4e1965302ba1 100644 --- a/sound/soc/msm/qdsp6v2/q6afe.c +++ b/sound/soc/msm/qdsp6v2/q6afe.c @@ -554,6 +554,7 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) { uint32_t *payload = data->payload; uint32_t param_id; + uint32_t param_id_pos = 0; if (!payload || (data->token >= AFE_MAX_PORTS)) { pr_err("%s: Error: size %d payload %pK token %d\n", @@ -562,17 +563,26 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) return -EINVAL; } - param_id = (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) ? - payload[3] : - payload[2]; + if (rtac_make_afe_callback(data->payload, + data->payload_size)) + return 0; + + if (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) + param_id_pos = 4; + else + param_id_pos = 3; + + if (data->payload_size >= param_id_pos * sizeof(uint32_t)) + param_id = payload[param_id_pos - 1]; + else { + pr_err("%s: Error: size %d is less than expected\n", + __func__, data->payload_size); + return -EINVAL; + } if (param_id == AFE_PARAM_ID_DEV_TIMING_STATS) { av_dev_drift_afe_cb_handler(data->opcode, data->payload, data->payload_size); } else { - if (rtac_make_afe_callback(data->payload, - data->payload_size)) - return 0; - if (sp_make_afe_callback(data->opcode, data->payload, data->payload_size)) return -EINVAL; @@ -595,6 +605,11 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) uint16_t port_id = 0; payload = data->payload; if (data->opcode == APR_BASIC_RSP_RESULT) { + if (data->payload_size < (2 * sizeof(uint32_t))) { + pr_err("%s: Error: size %d is less than expected\n", + __func__, data->payload_size); + return -EINVAL; + } pr_debug("%s:opcode = 0x%x cmd = 0x%x status = 0x%x token=%d\n", __func__, data->opcode, payload[0], payload[1], data->token); |