Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1e794a0e authored by Bhalchandra Gajare's avatar Bhalchandra Gajare
Browse files

ASoC: msm-cpe-lsm: Validate the payload size before allocation 



The payload size for keyword detection event status is received from
userspace through IOCTL. This payload size is used to allocate memory in
the driver. Validate the payload size before memory allocation to make
sure the payload size is within the maximum allowed size.

CRs-fixed: 842343
Change-Id: I975201e79ab4b111a1b2aad0be6aa65fdec71dcc
Signed-off-by: default avatarBhalchandra Gajare <gajare@codeaurora.org>
parent 125aa701

sound/soc/msm/msm-cpe-lsm.c

+22 −0
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ 
#define LISTEN_MAX_NUM_PERIODS     8

#define LISTEN_MAX_PERIOD_SIZE     4096

#define LISTEN_MIN_PERIOD_SIZE     320

#define LISTEN_MAX_STATUS_PAYLOAD_SIZE 256



#define MSM_CPE_LAB_THREAD_TIMEOUT (3 * (HZ/10))
@@ -1484,6 +1485,17 @@ static int msm_cpe_lsm_ioctl(struct snd_pcm_substream *substream, 
			err = -EFAULT;

			goto done;

		}



		if (u_event_status.payload_size >

		    LISTEN_MAX_STATUS_PAYLOAD_SIZE) {

			dev_err(rtd->dev,

				"%s: payload_size %d is invalid, max allowed = %d\n",

				__func__, u_event_status.payload_size,

				LISTEN_MAX_STATUS_PAYLOAD_SIZE);

			err = -EINVAL;

			goto done;

		}



		u_pld_size = sizeof(struct snd_lsm_event_status) +

				u_event_status.payload_size;
@@ -1673,6 +1685,16 @@ static int msm_cpe_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			goto done;

		}



		if (u_event_status32.payload_size >

		   LISTEN_MAX_STATUS_PAYLOAD_SIZE) {

			dev_err(rtd->dev,

				"%s: payload_size %d is invalid, max allowed = %d\n",

				__func__, u_event_status32.payload_size,

				LISTEN_MAX_STATUS_PAYLOAD_SIZE);

			err = -EINVAL;

			goto done;

		}



		u_pld_size = sizeof(struct snd_lsm_event_status) +

				u_event_status32.payload_size;

		event_status = kzalloc(u_pld_size, GFP_KERNEL);