dsp: adm: Add error check to avoid memory overread

For ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST adsp response,
add additional check to make sure there is enough
data for copy from adsp payload.

Change-Id: Ib8fef116ca73ce68e872616db969f7112f289b69
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>

1 files changed, 7 insertions, 4 deletions

diff --git a/dsp/q6adm.c b/dsp/q6adm.c
index 8d8a473..5987d39 100644
--- a/dsp/q6adm.c
+++ b/dsp/q6adm.c
@@ -1803,9 +1803,12 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
 				pr_err(":err = 0x%x\n", payload[0]);
 			} else if (data->payload_size >=
 				   (2 * sizeof(uint32_t))) {
-				if (payload[1] >
+				if ((payload[1] >
 				    ((ADM_GET_TOPO_MODULE_LIST_LENGTH /
-				    sizeof(uint32_t)) - 1)) {
+				    sizeof(uint32_t)) - 1)) ||
+				((data->payload_size -
+					(2 *  sizeof(uint32_t))) <
+					(payload[1] * sizeof(uint32_t)))) {
 					pr_err("%s: ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST",
 						 __func__);
 					pr_err(":size = %d\n", payload[1]);
@@ -1819,8 +1822,8 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
 						adm_module_topo_list[idx+i] =
 							payload[1+i];
 						pr_debug("%s:payload[%d] = %x\n",
-							 __func__, (i+1),
-							 payload[1+i]);
+							__func__, (i+1),
+							payload[1+i]);
 					}
 				}
 			} else