Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 34b2e60c authored by Ajit Pandey's avatar Ajit Pandey Committed by ssizon
Browse files

dsp: avtimer: validate payload size before memory copy



Check payload size to avoid out-of-boundary memory
access before attemptimg memory read.

Change-Id: I94723b526449aacfe7b2fe30990fb77cdd15c5da
Signed-off-by: default avatarAjit Pandey <ajitp@codeaurora.org>
parent 24d689bb
Loading
Loading
Loading
Loading
+12 −0
Original line number Original line Diff line number Diff line
@@ -97,6 +97,13 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
		}
		}


		payload1 = data->payload;
		payload1 = data->payload;

		if (data->payload_size < 2 * sizeof(uint32_t)) {
			pr_err("%s: payload has invalid size %d\n",
				__func__, data->payload_size);
			return -EINVAL;
		}

		switch (payload1[0]) {
		switch (payload1[0]) {
		case AVCS_CMD_REMOTE_AVTIMER_RELEASE_REQUEST:
		case AVCS_CMD_REMOTE_AVTIMER_RELEASE_REQUEST:
			pr_debug("%s: Cmd = TIMER RELEASE status[0x%x]\n",
			pr_debug("%s: Cmd = TIMER RELEASE status[0x%x]\n",
@@ -122,6 +129,11 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
	}
	}


	case AVCS_CMD_RSP_REMOTE_AVTIMER_VOTE_REQUEST:
	case AVCS_CMD_RSP_REMOTE_AVTIMER_VOTE_REQUEST:
		if (data->payload_size < sizeof(uint32_t)) {
			pr_err("%s: payload has invalid size %d\n",
				__func__, data->payload_size);
			return -EINVAL;
		}
		payload1 = data->payload;
		payload1 = data->payload;
		pr_debug("%s: RSP_REMOTE_AVTIMER_VOTE_REQUEST handle %x\n",
		pr_debug("%s: RSP_REMOTE_AVTIMER_VOTE_REQUEST handle %x\n",
			__func__, payload1[0]);
			__func__, payload1[0]);