Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dac64810 authored by Vidyakumar Athota's avatar Vidyakumar Athota Committed by Gerrit - the friendly Code Review server
Browse files

ASoC: msm: qdsp6v2: add size check to fix out of bounds issue 



Before calling audio calibration ioctl functions, compare the
allocated buffer size to the size of the header and cal type header
to ensure the buffer is big enough.

Change-Id: I601bb37ddcc34d459c207cf579f29744fe912d7b
Signed-off-by: default avatarVidyakumar Athota <vathota@codeaurora.org>
parent 998e5be1

sound/soc/msm/qdsp6v2/audio_calibration.c

+7 −7
Original line number Diff line number Diff line
@@ -453,6 +453,12 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd, 
			data->cal_type.cal_hdr.buffer_number);

		ret = -EINVAL;

		goto done;

	} else if ((data->hdr.cal_type_size + sizeof(data->hdr)) > size) {

		pr_err("%s: cal type hdr size %zd + cal type size %d is greater than user buffer size %d\n",

			__func__, sizeof(data->hdr), data->hdr.cal_type_size,

			size);

		ret = -EFAULT;

		goto done;

	}
@@ -490,13 +496,7 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd, 
			goto unlock;

		if (data == NULL)

			goto unlock;

		if ((sizeof(data->hdr) + data->hdr.cal_type_size) > size) {

			pr_err("%s: header size %zd plus cal type size %d are greater than data buffer size %d\n",

				__func__, sizeof(data->hdr),

				data->hdr.cal_type_size, size);

			ret = -EFAULT;

			goto unlock;

		} else if (copy_to_user((void *)arg, data,

		if (copy_to_user(arg, data,

			sizeof(data->hdr) + data->hdr.cal_type_size)) {

			pr_err("%s: Could not copy cal type to user\n",

				__func__);