Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d30e9037 authored by Soumya Managoli's avatar Soumya Managoli
Browse files

ASoC: msm-pcm-host-voice: Address buffer overflow in hpcm copy



Add check for the max hpcm_buf_node size before copy to avoid
buffer out of bounds issue.

Change-Id: Id647888430ce302359a857ef54d321bee99889bf
Signed-off-by: default avatarSoumya Managoli <quic_c_smanag@quicinc.com>
parent c03b479e
Loading
Loading
Loading
Loading
+12 −0
Original line number Diff line number Diff line
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
 * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
 */

#include <linux/init.h>
@@ -656,6 +657,11 @@ static void hpcm_copy_playback_data_from_queue(struct dai_data *dai_data,
				struct hpcm_buf_node, list);
		list_del(&buf_node->list);
		*len = buf_node->frame.len;
		if (*len > HPCM_MAX_VOC_PKT_SIZE) {
			pr_err("%s: Playback data len %d overflow\n",
					__func__, *len);
			return;
		}
		memcpy((u8 *)dai_data->vocpcm_ion_buffer.kvaddr,
		       &buf_node->frame.voc_pkt[0],
		       buf_node->frame.len);
@@ -683,6 +689,12 @@ static void hpcm_copy_capture_data_to_queue(struct dai_data *dai_data,
	if (dai_data->substream == NULL)
		return;

	if (len > HPCM_MAX_VOC_PKT_SIZE) {
		pr_err("%s: Copy capture data len %d overflow\n",
			__func__, len);
		return;
	}

	/* Copy out buffer packet into free_queue */
	spin_lock_irqsave(&dai_data->dsp_lock, dsp_flags);