diff options
| author | Bubble Fang <bubblefang@google.com> | 2023-09-01 09:50:55 +0000 |
|---|---|---|
| committer | Bubble Fang <bubblefang@google.com> | 2023-09-01 17:27:08 +0000 |
| commit | bd01be2bd42ebfe02a0853171e11f67c63116905 (patch) | |
| tree | f2e8e2069998348bfd479b3697af4cf814cc2127 | |
| parent | 52b069fc1d876a60abc0527ced87dddfad17ddc3 (diff) | |
| download | msm-extra-bd01be2bd42ebfe02a0853171e11f67c63116905.tar.gz | |
ASoC: msm-pcm-voip: Avoid interger underflow
There is no check for voip pkt pkt_len,if it contains the
min required data. This can lead to integer underflow.
Add check for the same.
Bug: 295019252
Change-Id: I13925fc3447f18e6c37e4a4978de3fd83b812be7
Signed-off-by: Bubble Fang <bubblefang@google.com>
| -rw-r--r-- | asoc/msm-pcm-voip-v2.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/asoc/msm-pcm-voip-v2.c b/asoc/msm-pcm-voip-v2.c index e2ad13b4..76c0bb11 100644 --- a/asoc/msm-pcm-voip-v2.c +++ b/asoc/msm-pcm-voip-v2.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only -/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. */ #include <linux/init.h> @@ -365,6 +366,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, switch (prtd->mode) { case MODE_AMR_WB: case MODE_AMR: { + if (pkt_len <= DSP_FRAME_HDR_LEN) { + pr_err("%s: pkt_len %d is < required len\n", + __func__, pkt_len); + spin_unlock_irqrestore(&prtd->dsp_ul_lock, + dsp_flags); + return; + } /* Remove the DSP frame info header. Header format: * Bits 0-3: Frame rate * Bits 4-7: Frame type @@ -385,6 +393,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, case MODE_4GV_NB: case MODE_4GV_WB: case MODE_4GV_NW: { + if (pkt_len <= DSP_FRAME_HDR_LEN) { + pr_err("%s: pkt_len %d is < required len\n", + __func__, pkt_len); + spin_unlock_irqrestore(&prtd->dsp_ul_lock, + dsp_flags); + return; + } /* Remove the DSP frame info header. * Header format: * Bits 0-3: frame rate @@ -422,6 +437,13 @@ static void voip_process_ul_pkt(uint8_t *voc_pkt, buf_node->frame.frm_hdr.timestamp = timestamp; voc_pkt = voc_pkt + DSP_FRAME_HDR_LEN; + if (pkt_len <= 2 * DSP_FRAME_HDR_LEN) { + pr_err("%s: pkt_len %d is < required len\n", + __func__, pkt_len); + spin_unlock_irqrestore(&prtd->dsp_ul_lock, + dsp_flags); + return; + } /* There are two frames in the buffer. Length of the * first frame: */ |