From 7f5bd7bd2b8863e4053b3deb650ebfb61dbd9dcc Mon Sep 17 00:00:00 2001
From: Soumya Managoli <quic_c_smanag@quicinc.com>
Date: Fri, 1 Sep 2023 13:11:33 +0530
Subject: dsp: afe: Add check for sidetone iir config copy size.

Avoid OOB access of sidetone iir config array when
iir_num_biquad_stages returned from cal block is > 10

Change-Id: I45b95e8bdd1a993a526590c94cf2f9a85c12af37
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
---
 sound/soc/msm/qdsp6v2/q6afe.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c
index 610604fcfe15..21370dbadb5b 100644
--- a/sound/soc/msm/qdsp6v2/q6afe.c
+++ b/sound/soc/msm/qdsp6v2/q6afe.c
@@ -5475,6 +5475,13 @@ static int afe_sidetone_iir(u16 tx_port_id)
 		pr_debug("%s: adding 2 to size:%d\n", __func__, size);
 		size = size + 2;
 	}
+
+	if (size > MAX_SIDETONE_IIR_DATA_SIZE) {
+		pr_err("%s: iir_config size is out of bounds:%d\n", __func__, size);
+		mutex_unlock(&this_afe.cal_data[cal_index]->lock);
+		ret = -EINVAL;
+		goto done;
+	}
 	memcpy(&filter_data.iir_config, &st_iir_cal_info->iir_config, size);
 	mutex_unlock(&this_afe.cal_data[cal_index]->lock);
 
-- 
cgit v1.2.3