commit 34df55a3bd442a10cb6839bb729bfb08dc0e8c93
author Kunlei Zhang <kunleiz@codeaurora.org> Wed Feb 24 11:25:41 2021 +0800
committer Gerrit - the friendly Code Review server <code-review@localhost> Wed Mar 17 01:36:05 2021 -0700
tree d9711c664fabe4da331945d4f6b288b6f1fcbe9d
parent 2531ff66b0391a5a44e1c58eccca039bc45363a4

dsp: update size check for get VI param function

In afe_get_cal_sp_th_vi_param functions, data size
should check with size of cal_type_header. The check
is not present which might lead to out of bounds access.

Update condition to ensure data_size is greater than
or equal to size of cal_type_header.

Change-Id: Ib2904f53243f4fb858131511812fd90de32b4656
Signed-off-by: Kunlei Zhang <kunleiz@codeaurora.org>

dsp/q6afe.c

diff --git a/dsp/q6afe.c b/dsp/q6afe.c
index 88124df..7f594f2 100644
--- a/dsp/q6afe.c
+++ b/dsp/q6afe.c
@@ -10160,6 +10160,7 @@
 
 	if (cal_data == NULL ||
 	    data_size > sizeof(*cal_data) ||
+	    data_size < sizeof(cal_data->cal_hdr) ||
 	    this_afe.cal_data[AFE_FB_SPKR_PROT_TH_VI_CAL] == NULL)
 		return 0;
 
@@ -10188,7 +10189,8 @@
 	pr_debug("%s: cal_type = %d\n", __func__, cal_type);
 	if (this_afe.cal_data[AFE_FB_SPKR_PROT_V4_EX_VI_CAL] == NULL ||
 	    cal_data == NULL ||
-	    data_size != sizeof(*cal_data))
+	    data_size > sizeof(*cal_data) ||
+	    data_size < sizeof(cal_data->cal_hdr))
 		goto done;
 
 	mutex_lock(&this_afe.cal_data[AFE_FB_SPKR_PROT_V4_EX_VI_CAL]->lock);
@@ -10255,7 +10257,8 @@
 	pr_debug("%s: cal_type = %d\n", __func__, cal_type);
 	if (this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL] == NULL ||
 	    cal_data == NULL ||
-	    data_size != sizeof(*cal_data))
+	    data_size > sizeof(*cal_data) ||
+	    data_size < sizeof(cal_data->cal_hdr))
 		goto done;
 
 	mutex_lock(&this_afe.cal_data[AFE_FB_SPKR_PROT_EX_VI_CAL]->lock);