diff options
author | Bubble Fang <bubblefang@google.com> | 2023-10-31 04:02:32 +0000 |
---|---|---|
committer | Bubble Fang <bubblefang@google.com> | 2023-10-31 05:54:28 +0000 |
commit | 598e8ee7a25df36d352e311f29667351f03ef6ef (patch) | |
tree | 505c337d579bef47b2d7edafca074e83ae3ddecc | |
parent | ac5704c3dbd3b43eeb2366598bdab01a361a349f (diff) | |
download | msm-extra-android-msm-redbull-4.19-android14-qpr1.tar.gz |
ASoC: dsp: q6core: Avoid use after freeandroid-u-qpr3-beta-2_r0.1android-u-qpr3-beta-1_r0.6android-u-qpr2-beta-3_r0.1android-14.0.0_r0.46android-14.0.0_r0.32android-msm-redbull-4.19-android14-qpr1
Add check for AVCS_CMD_RSP_LOAD_MODULE response payload
to avoid its access after free.
Bug: 303101067
Change-Id: Ie3991640394d761525afc2e9c1e17955bd4cf355
Signed-off-by: Bubble Fang <bubblefang@google.com>
-rw-r--r-- | dsp/q6core.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/dsp/q6core.c b/dsp/q6core.c index a58a03b3..9d9fc97f 100644 --- a/dsp/q6core.c +++ b/dsp/q6core.c @@ -475,6 +475,8 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) case AVCS_CMD_RSP_LOAD_MODULES: pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n", __func__); + if (!rsp_payload) + return -EINVAL; if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload) * rsp_payload->num_modules) + sizeof(uint32_t))) { pr_err("%s: payload size not equal to expected size %d\n", @@ -1061,6 +1063,7 @@ int32_t q6core_avcs_load_unload_modules(struct avcs_load_unload_modules_payload done: kfree(mod); kfree(rsp_payload); + rsp_payload = NULL; mutex_unlock(&(q6core_lcl.cmd_lock)); return ret; } |