dsp: q6usm: Check size of payload before access (def212b8) · Commits · e / devices / android_kernel_oneplus_sm7250

dsp/q6usm.c

+17 −0

Original line number	Diff line number	Diff line
		@@ -556,6 +556,11 @@ static int32_t q6usm_callback(struct apr_client_data data, void priv)
		}

		if (data->opcode == APR_BASIC_RSP_RESULT) {
		if (data->payload_size < (2 * sizeof(uint32_t))) {
		pr_err("%s: payload has invalid size[%d]\n", __func__,
		data->payload_size);
		return -EINVAL;
		}
		/* status field check */
		if (payload[1]) {
		pr_err("%s: wrong response[%d] on cmd [%d]\n",
		@@ -619,6 +624,12 @@ static int32_t q6usm_callback(struct apr_client_data data, void priv)

		opcode = Q6USM_EVENT_READ_DONE;
		spin_lock_irqsave(&port->dsp_lock, dsp_flags);
		if (data->payload_size <
		(sizeof(uint32_t)*(READDONE_IDX_STATUS + 1))) {
		pr_err("%s: Invalid payload size for READDONE[%d]\n",
		__func__, data->payload_size);
		return -EINVAL;
		}
		if (payload[READDONE_IDX_STATUS]) {
		pr_err("%s: wrong READDONE[%d]; token[%d]\n",
		__func__,
		@@ -665,6 +676,12 @@ static int32_t q6usm_callback(struct apr_client_data data, void priv)
		struct us_port_data *port = &usc->port[IN];

		opcode = Q6USM_EVENT_WRITE_DONE;
		if (data->payload_size <
		(sizeof(uint32_t)*(WRITEDONE_IDX_STATUS + 1))) {
		pr_err("%s: Invalid payload size for WRITEDONE[%d]\n",
		__func__, data->payload_size);
		return -EINVAL;
		}
		if (payload[WRITEDONE_IDX_STATUS]) {
		pr_err("%s: wrong WRITEDONE_IDX_STATUS[%d]\n",
		__func__,