rstream: validate client type from client

Checks if the client type from clients is valid to prevent invalid
buffer access.

BUG=1159255
BUG=b:175764776
TEST=FEATURES=test USE=asan emerge-$BOARD -j adhd
TEST=oss-fuzz

Change-Id: I56e367b2f6b99da2fa4b2725a67772fff625aba2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/2674499
Commit-Queue: Chih-Yang Hsia <paulhsia@chromium.org>
Commit-Queue: Yu-Hsuan Hsu <yuhsuan@chromium.org>
Tested-by: Chih-Yang Hsia <paulhsia@chromium.org>
Reviewed-by: Yu-Hsuan Hsu <yuhsuan@chromium.org>
Auto-Submit: Chih-Yang Hsia <paulhsia@chromium.org>

2 files changed, 6 insertions, 0 deletions

diff --git a/cras/src/server/cras_rstream.c b/cras/src/server/cras_rstream.c
index 94adcead..5ff33a5b 100644
--- a/cras/src/server/cras_rstream.c
+++ b/cras/src/server/cras_rstream.c
@@ -167,6 +167,11 @@ static int verify_rstream_parameters(const struct cras_rstream_config *config,
 		syslog(LOG_ERR, "rstream: Invalid stream type.\n");
 		return -EINVAL;
 	}
+	if (config->client_type < CRAS_CLIENT_TYPE_UNKNOWN ||
+	    config->client_type >= CRAS_NUM_CLIENT_TYPE) {
+		syslog(LOG_ERR, "rstream: Invalid client type.\n");
+		return -EINVAL;
+	}
 	if ((config->client_shm_size > 0 && config->client_shm_fd < 0) ||
 	    (config->client_shm_size == 0 && config->client_shm_fd >= 0)) {
 		syslog(LOG_ERR, "rstream: invalid client-provided shm info\n");
diff --git a/cras/src/tests/rstream_unittest.cc b/cras/src/tests/rstream_unittest.cc
index 593c805d..d8dae24c 100644
--- a/cras/src/tests/rstream_unittest.cc
+++ b/cras/src/tests/rstream_unittest.cc
@@ -32,6 +32,7 @@ class RstreamTestSuite : public testing::Test {
 
     config_.stream_id = 555;
     config_.stream_type = CRAS_STREAM_TYPE_DEFAULT;
+    config_.client_type = CRAS_CLIENT_TYPE_UNKNOWN;
     config_.direction = CRAS_STREAM_OUTPUT;
     config_.dev_idx = NO_DEVICE;
     config_.flags = 0;