Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 248ce567 authored by Ajit Pandey's avatar Ajit Pandey
Browse files

asoc: msm-routing: Fix array out of bounds issue. 



It seems there is out of bound access chances for lsm_app_type_cfg
array within msm_routing_get_lsm_app_type_cfg_control() callback.
Added case check to return invalid value if user tries to exceed
maximum allocated size of array to avoid it.

Change-Id: Ied86e6c9a957255c55bb126a09741fbde429be32
Signed-off-by: default avatarAjit Pandey <ajitp@codeaurora.org>
parent e25db41d

asoc/msm-pcm-routing-v2.c

+5 −5
Original line number Diff line number Diff line
@@ -21699,16 +21699,16 @@ static int msm_routing_put_lsm_app_type_cfg_control( 
				kcontrol->private_value)->shift;

	int i = 0, j;













	num_app_cfg_types = ucontrol->value.integer.value[i++];













	memset(lsm_app_type_cfg, 0, MAX_APP_TYPES*













	       sizeof(struct msm_pcm_routing_app_type_data));

























	if (num_app_cfg_types > MAX_APP_TYPES) {













	if (ucontrol->value.integer.value[0] > MAX_APP_TYPES) {















		pr_err("%s: number of app types exceed the max supported\n",















			__func__);















		return -EINVAL;















	}



























	num_app_cfg_types = ucontrol->value.integer.value[i++];













	memset(lsm_app_type_cfg, 0, MAX_APP_TYPES*













	       sizeof(struct msm_pcm_routing_app_type_data));



























	for (j = 0; j < num_app_cfg_types; j++) {















		lsm_app_type_cfg[j].app_type =















				ucontrol->value.integer.value[i++];