Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cf353edb authored by Xiaojun Sang's avatar Xiaojun Sang
Browse files

dsp: validate token before usage as array index 



Token from DSP  might be invalid for array index. Validate the token
before being used as array index.

Change-Id: I9f47e1328d75d9f9acf7e85ddb452019b6eced0a
Signed-off-by: default avatarXiaojun Sang <xsang@codeaurora.org>
parent 914aaa0a

dsp/q6afe.c

+29 −5
Original line number Diff line number Diff line
@@ -460,6 +460,15 @@ static void afe_notify_spdif_fmt_update(void *payload) 
	schedule_work(&this_afe.afe_spdif_work);

}



static bool afe_token_is_valid(uint32_t token)

{

	if (token >= AFE_MAX_PORTS) {

		pr_err("%s: token %d is invalid.\n", __func__, token);

		return false;

	}

	return true;

}



static int32_t afe_callback(struct apr_client_data *data, void *priv)

{

	if (!data) {
@@ -536,7 +545,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) 
						 data->payload_size))

				return -EINVAL;

		}

		if (afe_token_is_valid(data->token))

			wake_up(&this_afe.wait[data->token]);

		else

			return -EINVAL;

	} else if (data->opcode == AFE_EVENT_MBHC_DETECTION_SW_WA) {

		msm_aud_evt_notifier_call_chain(SWR_WAKE_IRQ_EVENT, NULL);

	} else if (data->payload_size) {
@@ -572,7 +584,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) 
			case AFE_SVC_CMD_SET_PARAM_V2:

			case AFE_PORT_CMD_MOD_EVENT_CFG:

				atomic_set(&this_afe.state, 0);

				if (afe_token_is_valid(data->token))

					wake_up(&this_afe.wait[data->token]);

				else

					return -EINVAL;

				break;

			case AFE_SERVICE_CMD_REGISTER_RT_PORT_DRIVER:

				break;
@@ -584,7 +599,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) 
				break;

			case AFE_CMD_ADD_TOPOLOGIES:

				atomic_set(&this_afe.state, 0);

				if (afe_token_is_valid(data->token))

					wake_up(&this_afe.wait[data->token]);

				else

					return -EINVAL;

				pr_debug("%s: AFE_CMD_ADD_TOPOLOGIES cmd 0x%x\n",

						__func__, payload[1]);

				break;
@@ -608,7 +626,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) 
						return 0;

				}

				atomic_set(&this_afe.state, payload[1]);

				if (afe_token_is_valid(data->token))

					wake_up(&this_afe.wait[data->token]);

				else

					return -EINVAL;

				break;

			case AFE_SVC_CMD_EVENT_CFG:

				atomic_set(&this_afe.state, payload[1]);
@@ -632,7 +653,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) 
			else

				this_afe.mmap_handle = payload[0];

			atomic_set(&this_afe.state, 0);

			if (afe_token_is_valid(data->token))

				wake_up(&this_afe.wait[data->token]);

			else

				return -EINVAL;

		} else if (data->opcode == AFE_EVENT_RT_PROXY_PORT_STATUS) {

			port_id = (uint16_t)(0x0000FFFF & payload[0]);

		} else if (data->opcode == AFE_PORT_MOD_EVENT) {