dsp: adm: Add error check to avoid memory overread

For ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST adsp response, add additional check to make sure there is enough data for copy from adsp payload. Change-Id: Ib8fef116ca73ce68e872616db969f7112f289b69 Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
author: Soumya Managoli <smanag@codeaurora.org> 2019-08-28 16:47:22 +0530
committer: Soumya Managoli <smanag@codeaurora.org> 2019-09-06 11:49:12 +0530
commit: 6afdb8bf450f0828e293bccc902333c5d10a1e0b (patch)
tree: 15ae0a188f000115a8c85b12663cbc0ef03ba874
parent: 33005fb123827c8960fb903f7327c127cc3968b9 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/dsp/q6adm.c b/dsp/q6adm.c
index 8d8a473..5987d39 100644
--- a/dsp/q6adm.c
+++ b/dsp/q6adm.c
@@ -1803,9 +1803,12 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
 				pr_err(":err = 0x%x\n", payload[0]);
 			} else if (data->payload_size >=
 				   (2 * sizeof(uint32_t))) {
-				if (payload[1] >
+				if ((payload[1] >
 				    ((ADM_GET_TOPO_MODULE_LIST_LENGTH /
-				    sizeof(uint32_t)) - 1)) {
+				    sizeof(uint32_t)) - 1)) ||
+				((data->payload_size -
+					(2 *  sizeof(uint32_t))) <
+					(payload[1] * sizeof(uint32_t)))) {
 					pr_err("%s: ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST",
 						 __func__);
 					pr_err(":size = %d\n", payload[1]);
@@ -1819,8 +1822,8 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
 						adm_module_topo_list[idx+i] =
 							payload[1+i];
 						pr_debug("%s:payload[%d] = %x\n",
-							 __func__, (i+1),
-							 payload[1+i]);
+							__func__, (i+1),
+							payload[1+i]);
 					}
 				}
 			} else
author	Soumya Managoli <smanag@codeaurora.org>	2019-08-28 16:47:22 +0530
committer	Soumya Managoli <smanag@codeaurora.org>	2019-09-06 11:49:12 +0530
commit	6afdb8bf450f0828e293bccc902333c5d10a1e0b (patch)
tree	15ae0a188f000115a8c85b12663cbc0ef03ba874
parent	33005fb123827c8960fb903f7327c127cc3968b9 (diff)