Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / opensource / audio-kernel / adf0c3d819eadfc960fd178bb7dd0ff1917d7497^1..adf0c3d819eadfc960fd178bb7dd0ff1917d7497 / .
commitadf0c3d819eadfc960fd178bb7dd0ff1917d7497[log] [tgz]
authorLinux Build Service Account <lnxbuild@localhost>Wed Apr 17 05:01:33 2019 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>Wed Apr 17 05:01:33 2019 -0700
tree327649eea68c6a19f003ef7f2b7f3c3ae1bc7d2f
parent95ae87a53d13c84fc1ee57a4f532b7e80a62bc18 [diff]
parent95376088625f99f0b432856cb68108ca71a79789 [diff]
Merge "dsp: afe: check for payload size before payload access"
diff --git a/dsp/q6afe.c b/dsp/q6afe.c
index 4ecceff..8e6fa1d 100644
--- a/dsp/q6afe.c
+++ b/dsp/q6afe.c

@@ -371,14 +371,20 @@
 			return -EINVAL;
 		}
 
+		if (rtac_make_afe_callback(data->payload,
+					   data->payload_size))
+			return 0;
+
+		if (data->payload_size < 3 * sizeof(uint32_t)) {
+			pr_err("%s: Error: size %d is less than expected\n",
+				__func__, data->payload_size);
+			return -EINVAL;
+		}
+
 		if (payload[2] == AFE_PARAM_ID_DEV_TIMING_STATS) {
 			av_dev_drift_afe_cb_handler(data->payload,
 						    data->payload_size);
 		} else {
-			if (rtac_make_afe_callback(data->payload,
-						   data->payload_size))
-				return 0;
-
 			if (sp_make_afe_callback(data->payload,
 						 data->payload_size))
 				return -EINVAL;
@@ -393,6 +399,11 @@
 
 		payload = data->payload;
 		if (data->opcode == APR_BASIC_RSP_RESULT) {
+			if (data->payload_size < (2 * sizeof(uint32_t))) {
+				pr_err("%s: Error: size %d is less than expected\n",
+					__func__, data->payload_size);
+				return -EINVAL;
+			}
 			pr_debug("%s:opcode = 0x%x cmd = 0x%x status = 0x%x token=%d\n",
 				__func__, data->opcode,
 				payload[0], payload[1], data->token);