Merge "dsp: afe: check for payload size before payload access"
diff --git a/dsp/q6afe.c b/dsp/q6afe.c
index 4ecceff..8e6fa1d 100644
--- a/dsp/q6afe.c
+++ b/dsp/q6afe.c
@@ -371,14 +371,20 @@
return -EINVAL;
}
+ if (rtac_make_afe_callback(data->payload,
+ data->payload_size))
+ return 0;
+
+ if (data->payload_size < 3 * sizeof(uint32_t)) {
+ pr_err("%s: Error: size %d is less than expected\n",
+ __func__, data->payload_size);
+ return -EINVAL;
+ }
+
if (payload[2] == AFE_PARAM_ID_DEV_TIMING_STATS) {
av_dev_drift_afe_cb_handler(data->payload,
data->payload_size);
} else {
- if (rtac_make_afe_callback(data->payload,
- data->payload_size))
- return 0;
-
if (sp_make_afe_callback(data->payload,
data->payload_size))
return -EINVAL;
@@ -393,6 +399,11 @@
payload = data->payload;
if (data->opcode == APR_BASIC_RSP_RESULT) {
+ if (data->payload_size < (2 * sizeof(uint32_t))) {
+ pr_err("%s: Error: size %d is less than expected\n",
+ __func__, data->payload_size);
+ return -EINVAL;
+ }
pr_debug("%s:opcode = 0x%x cmd = 0x%x status = 0x%x token=%d\n",
__func__, data->opcode,
payload[0], payload[1], data->token);