diff options
| author | Vatsal Bucha <vbucha@codeaurora.org> | 2019-02-12 13:28:15 +0530 |
|---|---|---|
| committer | Vatsal Bucha <vbucha@codeaurora.org> | 2019-02-15 12:27:03 +0530 |
| commit | 7e7b058fc8af86447fd049af7221bdaaecf2b13b (patch) | |
| tree | 1e241fe8b7ca13cd26c91a0965d879a90eb1ded7 | |
| parent | 363d4a457d38226dccaa74bf81adb3dc6f823b3e (diff) | |
qdsp6v2: q6usm: Check size of payload before access
Check size of payload array before access in q6usm_callback.
Change-Id: Id0c85209a053f9dfdb53133aeb6b2510ecf18eb8
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
| -rw-r--r-- | drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c b/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c index 334e705ca8f1..654252ffec60 100644 --- a/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c +++ b/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2016, 2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -567,6 +567,11 @@ static int32_t q6usm_callback(struct apr_client_data *data, void *priv) } if (data->opcode == APR_BASIC_RSP_RESULT) { + if (data->payload_size < (2 * sizeof(uint32_t))) { + pr_err("%s: payload has invalid size[%d]\n", __func__, + data->payload_size); + return -EINVAL; + } /* status field check */ if (payload[1]) { pr_err("%s: wrong response[%d] on cmd [%d]\n", @@ -630,6 +635,12 @@ static int32_t q6usm_callback(struct apr_client_data *data, void *priv) opcode = Q6USM_EVENT_READ_DONE; spin_lock_irqsave(&port->dsp_lock, dsp_flags); + if (data->payload_size < + (sizeof(uint32_t)*(READDONE_IDX_STATUS + 1))) { + pr_err("%s: Invalid payload size for READDONE[%d]\n", + __func__, data->payload_size); + return -EINVAL; + } if (payload[READDONE_IDX_STATUS]) { pr_err("%s: wrong READDONE[%d]; token[%d]\n", __func__, @@ -675,6 +686,12 @@ static int32_t q6usm_callback(struct apr_client_data *data, void *priv) struct us_port_data *port = &usc->port[IN]; opcode = Q6USM_EVENT_WRITE_DONE; + if (data->payload_size < + (sizeof(uint32_t)*(WRITEDONE_IDX_STATUS + 1))) { + pr_err("%s: Invalid payload size for WRITEDONE[%d]\n", + __func__, data->payload_size); + return -EINVAL; + } if (payload[WRITEDONE_IDX_STATUS]) { pr_err("%s: wrong WRITEDONE_IDX_STATUS[%d]\n", __func__, |