ASoC: msm-pcm-host-voice: Handle OOB access in hpcm_start.

There is no error check for case when hpcm_start
is called for the same RX or TX tap points multiple times.
This can result in OOB access of struct vss_ivpcm_tap_point.
Handle this scenario with appropriate no_of_tp check.

Change-Id: Ib384d21c9bf372f3e5d78f64b5c056e836728399
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
(cherry picked from commit 521277c4c3ffc4a3f4a232de41cfa4fc7b6aaa35)

1 files changed, 7 insertions, 0 deletions

diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
index bb4ab8f4a549..6dc8289ffce1 100644
--- a/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
+++ b/sound/soc/msm/qdsp6v2/msm-pcm-host-voice-v2.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -644,6 +645,12 @@ static int hpcm_start_vocpcm(char *pcm_id, struct hpcm_drv *prtd,
 		}
 	}
 
+	if (*no_of_tp != no_of_tp_req && *no_of_tp > 2) {
+		pr_err("%s:: Invalid hpcm start request\n", __func__);
+		memset(&prtd->start_cmd, 0, sizeof(struct start_cmd));
+		return -EINVAL;
+	}
+
 	if ((prtd->mixer_conf.tx.enable || prtd->mixer_conf.rx.enable) &&
 	    *no_of_tp == no_of_tp_req) {
 		voc_send_cvp_start_vocpcm(voc_get_session_id(sess_name),