Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4965b8d6 authored by Vignesh Kulothungan's avatar Vignesh Kulothungan
Browse files

dsp: adm: modify adm callback payload size checks 



Validate payload size before accessing data from ADSP.
Modify payload size checks to accommodate for variable
payloads, payload size vary from size of one integer to
many based on opcode and other variables.

CRs-Fixed: 2380694
Change-Id: Ic5e0eb72441da8f29cf645968c9df09e7803701a
Signed-off-by: default avatarVignesh Kulothungan <vigneshk@codeaurora.org>
parent 7e7016f0

dsp/q6adm.c

+34 −20
Original line number Diff line number Diff line
@@ -1510,7 +1510,7 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) 
	}



	adm_callback_debug_print(data);

	if (data->payload_size) {

	if (data->payload_size >= sizeof(uint32_t)) {

		copp_idx = (data->token) & 0XFF;

		port_idx = ((data->token) >> 16) & 0xFF;

		client_id = ((data->token) >> 8) & 0xFF;
@@ -1530,13 +1530,20 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) 
			return 0;

		}

		if (data->opcode == APR_BASIC_RSP_RESULT) {

			if (data->payload_size < (2 * sizeof(uint32_t))) {

				pr_err("%s: Invalid payload size %d\n", __func__,

					data->payload_size);

				return 0;

			}

			pr_debug("%s: APR_BASIC_RSP_RESULT id 0x%x\n",

				__func__, payload[0]);



			if (!((client_id != ADM_CLIENT_ID_SOURCE_TRACKING) &&

			     ((payload[0] == ADM_CMD_SET_PP_PARAMS_V5) ||

			      (payload[0] == ADM_CMD_SET_PP_PARAMS_V6)))) {

				if (data->payload_size <

						(2 * sizeof(uint32_t))) {

					pr_err("%s: Invalid payload size %d\n",

						__func__, data->payload_size);

					return 0;

				}

			}



			if (payload[1] != 0) {

				pr_err("%s: cmd = 0x%x returned error = 0x%x\n",

					__func__, payload[0], payload[1]);
@@ -1718,8 +1725,10 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) 
		case ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST_V2:

			pr_debug("%s: ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST\n",

				 __func__);

			if (data->payload_size >= (2 * sizeof(uint32_t))) {

				num_modules = payload[1];

			pr_debug("%s: Num modules %d\n", __func__, num_modules);

				pr_debug("%s: Num modules %d\n", __func__,

					 num_modules);

				if (payload[0]) {

					pr_err("%s: ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST, error = %d\n",

					       __func__, payload[0]);
@@ -1728,12 +1737,17 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv) 
					       __func__, num_modules);

				} else {

					ret = adm_process_get_topo_list_response(

					data->opcode, copp_idx, num_modules,

					payload, data->payload_size);

						data->opcode, copp_idx,

						num_modules, payload,

						data->payload_size);

					if (ret)

						pr_err("%s: Failed to process get topo modules list response, error %d\n",

						       __func__, ret);

				}

			} else {

				pr_err("%s: Invalid payload size %d\n",

					__func__, data->payload_size);

			}

			atomic_set(&this_adm.copp.stat[port_idx][copp_idx],

				   payload[0]);

			wake_up(&this_adm.copp.wait[port_idx][copp_idx]);