Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 34b2e60c authored by Ajit Pandey's avatar Ajit Pandey Committed by ssizon
Browse files

dsp: avtimer: validate payload size before memory copy 



Check payload size to avoid out-of-boundary memory
access before attemptimg memory read.

Change-Id: I94723b526449aacfe7b2fe30990fb77cdd15c5da
Signed-off-by: default avatarAjit Pandey <ajitp@codeaurora.org>
parent 24d689bb

techpack/audio/dsp/avtimer.c

+12 −0
Original line number Original line Diff line number Diff line
@@ -97,6 +97,13 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) 
		}

		}





		payload1 = data->payload;

		payload1 = data->payload;



		if (data->payload_size < 2 * sizeof(uint32_t)) {

			pr_err("%s: payload has invalid size %d\n",

				__func__, data->payload_size);

			return -EINVAL;

		}



		switch (payload1[0]) {

		switch (payload1[0]) {

		case AVCS_CMD_REMOTE_AVTIMER_RELEASE_REQUEST:

		case AVCS_CMD_REMOTE_AVTIMER_RELEASE_REQUEST:

			pr_debug("%s: Cmd = TIMER RELEASE status[0x%x]\n",

			pr_debug("%s: Cmd = TIMER RELEASE status[0x%x]\n",
@@ -122,6 +129,11 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) 
	}

	}





	case AVCS_CMD_RSP_REMOTE_AVTIMER_VOTE_REQUEST:

	case AVCS_CMD_RSP_REMOTE_AVTIMER_VOTE_REQUEST:

		if (data->payload_size < sizeof(uint32_t)) {

			pr_err("%s: payload has invalid size %d\n",

				__func__, data->payload_size);

			return -EINVAL;

		}

		payload1 = data->payload;

		payload1 = data->payload;

		pr_debug("%s: RSP_REMOTE_AVTIMER_VOTE_REQUEST handle %x\n",

		pr_debug("%s: RSP_REMOTE_AVTIMER_VOTE_REQUEST handle %x\n",

			__func__, payload1[0]);

			__func__, payload1[0]);