Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d30e9037 authored by Soumya Managoli's avatar Soumya Managoli
Browse files

ASoC: msm-pcm-host-voice: Address buffer overflow in hpcm copy 



Add check for the max hpcm_buf_node size before copy to avoid
buffer out of bounds issue.

Change-Id: Id647888430ce302359a857ef54d321bee99889bf
Signed-off-by: default avatarSoumya Managoli <quic_c_smanag@quicinc.com>
parent c03b479e

asoc/msm-pcm-host-voice-v2.c

+12 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/init.h>
@@ -656,6 +657,11 @@ static void hpcm_copy_playback_data_from_queue(struct dai_data *dai_data, 
				struct hpcm_buf_node, list);

		list_del(&buf_node->list);

		*len = buf_node->frame.len;

		if (*len > HPCM_MAX_VOC_PKT_SIZE) {

			pr_err("%s: Playback data len %d overflow\n",

					__func__, *len);

			return;

		}

		memcpy((u8 *)dai_data->vocpcm_ion_buffer.kvaddr,

		       &buf_node->frame.voc_pkt[0],

		       buf_node->frame.len);
@@ -683,6 +689,12 @@ static void hpcm_copy_capture_data_to_queue(struct dai_data *dai_data, 
	if (dai_data->substream == NULL)

		return;



	if (len > HPCM_MAX_VOC_PKT_SIZE) {

		pr_err("%s: Copy capture data len %d overflow\n",

			__func__, len);

		return;

	}



	/* Copy out buffer packet into free_queue */

	spin_lock_irqsave(&dai_data->dsp_lock, dsp_flags);