summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSoumya Managoli <smanag@codeaurora.org>2019-08-28 16:47:22 +0530
committerSoumya Managoli <smanag@codeaurora.org>2019-09-06 11:49:12 +0530
commit6afdb8bf450f0828e293bccc902333c5d10a1e0b (patch)
tree15ae0a188f000115a8c85b12663cbc0ef03ba874
parent33005fb123827c8960fb903f7327c127cc3968b9 (diff)
dsp: adm: Add error check to avoid memory overread
For ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST adsp response, add additional check to make sure there is enough data for copy from adsp payload. Change-Id: Ib8fef116ca73ce68e872616db969f7112f289b69 Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
-rw-r--r--dsp/q6adm.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/dsp/q6adm.c b/dsp/q6adm.c
index 8d8a473..5987d39 100644
--- a/dsp/q6adm.c
+++ b/dsp/q6adm.c
@@ -1803,9 +1803,12 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
pr_err(":err = 0x%x\n", payload[0]);
} else if (data->payload_size >=
(2 * sizeof(uint32_t))) {
- if (payload[1] >
+ if ((payload[1] >
((ADM_GET_TOPO_MODULE_LIST_LENGTH /
- sizeof(uint32_t)) - 1)) {
+ sizeof(uint32_t)) - 1)) ||
+ ((data->payload_size -
+ (2 * sizeof(uint32_t))) <
+ (payload[1] * sizeof(uint32_t)))) {
pr_err("%s: ADM_CMDRSP_GET_PP_TOPO_MODULE_LIST",
__func__);
pr_err(":size = %d\n", payload[1]);
@@ -1819,8 +1822,8 @@ static int32_t adm_callback(struct apr_client_data *data, void *priv)
adm_module_topo_list[idx+i] =
payload[1+i];
pr_debug("%s:payload[%d] = %x\n",
- __func__, (i+1),
- payload[1+i]);
+ __func__, (i+1),
+ payload[1+i]);
}
}
} else