diff options
author | Kunlei Zhang <kunleiz@codeaurora.org> | 2021-04-12 14:24:47 +0800 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2021-04-12 00:57:26 -0700 |
commit | 480d292eeea8db219345fc109facb004bb3d7943 (patch) | |
tree | 32746354510cbd93a5f212cce39ee2aad7f963ba | |
parent | 3c798f47b4ff7a9de3acff3773b00cafe1cf0cfc (diff) | |
download | msm-extra-480d292eeea8db219345fc109facb004bb3d7943.tar.gz |
dsp: update size check for get VI param function
In afe_get_cal_sp_th_vi_param functions, data size
should check with size of cal_type_header. The check
is not present which might lead to out of bounds access.
Update condition to ensure data_size is greater than
or equal to size of cal_type_header.
Change-Id: I8fb5cc20102ed4c0ac6708cfa8521e9082d768dc
Signed-off-by: Kunlei Zhang <kunleiz@codeaurora.org>
-rw-r--r-- | 4.0/dsp/q6afe.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/4.0/dsp/q6afe.c b/4.0/dsp/q6afe.c index e3d75ccc..cc6288da 100644 --- a/4.0/dsp/q6afe.c +++ b/4.0/dsp/q6afe.c @@ -1,5 +1,5 @@ // SPDX-License-Identifier: GPL-2.0-only -/* Copyright (c) 2012-2020, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. */ #include <linux/slab.h> #include <linux/debugfs.h> @@ -8829,6 +8829,7 @@ static int afe_get_cal_sp_th_vi_param(int32_t cal_type, size_t data_size, if (cal_data == NULL || data_size > sizeof(*cal_data) || + data_size < sizeof(cal_data->cal_hdr) || this_afe.cal_data[AFE_FB_SPKR_PROT_TH_VI_CAL] == NULL) return 0; @@ -8855,7 +8856,8 @@ static int afe_get_cal_sp_ex_vi_ftm_param(int32_t cal_type, size_t data_size, pr_debug("%s: cal_type = %d\n", __func__, cal_type); if (this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL] == NULL || cal_data == NULL || - data_size != sizeof(*cal_data)) + data_size > sizeof(*cal_data) || + data_size < sizeof(cal_data->cal_hdr)) goto done; mutex_lock(&this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL]->lock); |