Commit 4eb791e7 authored Oct 09, 2019 by Soumya Managoli

msm: adm: Fix memory overread in adm callback



For ADM_CMDRSP_GET_PP_PARAMS_V5 cmd response,
the check for data payload_size is incorrect.
Modify the check condition to make sure there
is enough data to copy, size is contained in
payload[3].

Change-Id: I2f155ad8b302e89131ee85cfc72e4009dda617d3
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>

parent ff1de12d

sound/soc/msm/qdsp6v2/q6adm.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1572,7 +1572,8 @@ static int32_t adm_callback(struct apr_client_data data, void priv)
		idx = ADM_GET_PARAMETER_LENGTH * copp_idx;
		if ((payload[0] == 0) && (data->payload_size >
		(4 * sizeof(*payload))) &&
		(data->payload_size - 4 >=
		(data->payload_size -
		(4 * sizeof(*payload)) >=
		payload[3]) &&
		(ARRAY_SIZE(adm_get_parameters) >
		idx) &&