Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 00479439 authored by Soumya Managoli's avatar Soumya Managoli Committed by Gerrit - the friendly Code Review server
Browse files

ASoC: msm-pcm-voip: Avoid interger underflow 



There is no check for voip pkt pkt_len,if it contains the
minimum required data. This can lead to integer underflow.
Add check for the same.

Change-Id: I4f57eb125967d52ad8da60d21a440af1f81d2579
Signed-off-by: default avatarSoumya Managoli <quic_c_smanag@quicinc.com>
parent cb026c53

asoc/msm-pcm-voip-v2.c

+29 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/init.h>
@@ -365,6 +366,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
		switch (prtd->mode) {

		case MODE_AMR_WB:

		case MODE_AMR: {

			if (pkt_len <= DSP_FRAME_HDR_LEN) {

				pr_err("%s: pkt_len %d is < required len\n",

						__func__, pkt_len);

				spin_unlock_irqrestore(&prtd->dsp_ul_lock,

							dsp_flags);

				return;

			}

			/* Remove the DSP frame info header. Header format:

			 * Bits 0-3: Frame rate

			 * Bits 4-7: Frame type
@@ -385,6 +393,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
		case MODE_4GV_NB:

		case MODE_4GV_WB:

		case MODE_4GV_NW: {

			if (pkt_len <= DSP_FRAME_HDR_LEN) {

				pr_err("%s: pkt_len %d is < required len\n",

						__func__, pkt_len);

				spin_unlock_irqrestore(&prtd->dsp_ul_lock,

							dsp_flags);

				return;

			}

			/* Remove the DSP frame info header.

			 * Header format:

			 * Bits 0-3: frame rate
@@ -422,6 +437,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
			buf_node->frame.frm_hdr.timestamp = timestamp;

			voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN;



			if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) {

				pr_err("%s: pkt_len %d is < required len\n",

						__func__, pkt_len);

				spin_unlock_irqrestore(&prtd->dsp_ul_lock,

							dsp_flags);

				return;

			}

			/* There are two frames in the buffer. Length of the

			 * first frame:

			 */
@@ -457,6 +479,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, 
				buf_node->frame.frm_hdr.timestamp = timestamp;

				voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN;



				if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) {

					pr_err("%s: pkt_len %d is < required len\n",

							__func__, pkt_len);

					spin_unlock_irqrestore(&prtd->dsp_ul_lock,

								dsp_flags);

					return;

				}

				/* There are two frames in the buffer. Length

				 * of the second frame:

				 */