Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c2e9c807 authored by Bhalchandra Gajare's avatar Bhalchandra Gajare Committed by Gerrit - the friendly Code Review server
Browse files

ASoC: msm-lsm-client: Validate size sent from userspace 



The payload size for keyword detection event status is received from
userspace through IOCTL. This payload size is used to allocate memory in
the driver. Validate the payload size before memory allocation to make
sure the payload size is within the maximum allowed size.

CRs-fixed: 842347
Change-Id: I268dc4b9c7b0219aadac221b2dd0003ea3b4dbad
Signed-off-by: default avatarBhalchandra Gajare <gajare@codeaurora.org>
parent 04179e8e

sound/soc/msm/qdsp6v2/msm-lsm-client.c

+19 −0
Original line number Diff line number Diff line
@@ -37,6 +37,7 @@ 
#define CAPTURE_MAX_NUM_PERIODS     8

#define CAPTURE_MAX_PERIOD_SIZE     4096

#define CAPTURE_MIN_PERIOD_SIZE     320

#define LISTEN_MAX_STATUS_PAYLOAD_SIZE 256



#define LAB_BUFFER_ALLOC 1

#define LAB_BUFFER_DEALLOC 0
@@ -1123,6 +1124,15 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
				__func__, "SNDRV_LSM_EVENT_STATUS32");

			return -EFAULT;

		}



		if (userarg32.payload_size >

		    LISTEN_MAX_STATUS_PAYLOAD_SIZE) {

			pr_err("%s: payload_size %d is invalid, max allowed = %d\n",

				__func__, userarg32.payload_size,

				LISTEN_MAX_STATUS_PAYLOAD_SIZE);

			return -EINVAL;

		}



		size = sizeof(*user) + userarg32.payload_size;

		user = kmalloc(size, GFP_KERNEL);

		if (!user) {
@@ -1563,6 +1573,15 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 
				__func__);

			return -EFAULT;

		}



		if (userarg.payload_size >

		    LISTEN_MAX_STATUS_PAYLOAD_SIZE) {

			pr_err("%s: payload_size %d is invalid, max allowed = %d\n",

				__func__, userarg.payload_size,

				LISTEN_MAX_STATUS_PAYLOAD_SIZE);

			return -EINVAL;

		}



		size = sizeof(struct snd_lsm_event_status) +

		userarg.payload_size;

		user = kmalloc(size, GFP_KERNEL);