Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 217ea943 authored by Jilai Wang's avatar Jilai Wang
Browse files

msm: npu: Avoid buffer overflow when handling get_property packet 



If packet size is set to invalid value by firmware, when driver
tries to copy property content to memory, it could cause buffer
overflow. To avoid this, packet size needs to be checked to make
sure it's valid.

Change-Id: Iba048429f12aa7c003e5256bd026449c0b25e9d9
Signed-off-by: default avatarJilai Wang <quic_jilaiw@quicinc.com>
parent 90de98df

drivers/media/platform/msm/npu/npu_mgr.c

+7 −0
Original line number Original line Diff line number Diff line
@@ -1845,6 +1845,13 @@ static int app_msg_proc(struct npu_host_ctx *host_ctx, uint32_t *msg) 
			break;

			break;

		}

		}





		if (prop_rsp_pkt->header.size <

			sizeof(struct ipc_msg_header_pkt)) {

			NPU_ERR("Invalid rsp pkt size %d\n",

				prop_rsp_pkt->header.size);

			break;

		}



		misc_cmd->ret_status = prop_rsp_pkt->header.status;

		misc_cmd->ret_status = prop_rsp_pkt->header.status;





		if (prop_rsp_pkt->num_params > 0) {

		if (prop_rsp_pkt->num_params > 0) {