asoc: msm-routing: Fix array out of bounds issue.
It seems there is out of bound access chances for lsm_app_type_cfg
array within msm_routing_get_lsm_app_type_cfg_control() callback.
Added case check to return invalid value if user tries to exceed
maximum allocated size of array to avoid it.
Change-Id: Ied86e6c9a957255c55bb126a09741fbde429be32
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
diff --git a/asoc/msm-pcm-routing-v2.c b/asoc/msm-pcm-routing-v2.c
index a33f028..5fcde20 100644
--- a/asoc/msm-pcm-routing-v2.c
+++ b/asoc/msm-pcm-routing-v2.c
@@ -14393,15 +14393,18 @@
struct snd_ctl_elem_value *ucontrol)
{
int i = 0, j;
- int num_app_types = ucontrol->value.integer.value[i++];
+ int num_app_types;
- memset(lsm_app_type_cfg, 0, MAX_APP_TYPES*
- sizeof(struct msm_pcm_routing_app_type_data));
- if (num_app_types > MAX_APP_TYPES) {
+ if (ucontrol->value.integer.value[0] > MAX_APP_TYPES) {
pr_err("%s: number of app types exceed the max supported\n",
__func__);
return -EINVAL;
}
+
+ num_app_types = ucontrol->value.integer.value[i++];
+ memset(lsm_app_type_cfg, 0, MAX_APP_TYPES*
+ sizeof(struct msm_pcm_routing_app_type_data));
+
for (j = 0; j < num_app_types; j++) {
lsm_app_type_cfg[j].app_type =
ucontrol->value.integer.value[i++];