dsp: q6voice: Check size of payload before access
Check size of payload array before access in qdsp_mvm_callback.
Change-Id: I81d945f963cfb4a3cb26155700b82880d891ec5e
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
diff --git a/dsp/q6voice.c b/dsp/q6voice.c
index 742f18d..e768278 100644
--- a/dsp/q6voice.c
+++ b/dsp/q6voice.c
@@ -7427,7 +7427,7 @@
static int32_t qdsp_mvm_callback(struct apr_client_data *data, void *priv)
{
- uint32_t *ptr = NULL;
+ uint32_t *ptr = NULL, min_payload_size = 0;
struct common_data *c = NULL;
struct voice_data *v = NULL;
struct vss_evt_voice_activity *voice_act_update = NULL;
@@ -7498,7 +7498,7 @@
}
if (data->opcode == APR_BASIC_RSP_RESULT) {
- if (data->payload_size) {
+ if (data->payload_size >= sizeof(ptr[0]) * 2) {
ptr = data->payload;
pr_debug("%x %x\n", ptr[0], ptr[1]);
@@ -7568,7 +7568,13 @@
} else if (data->opcode == VSS_IMEMORY_RSP_MAP) {
pr_debug("%s, Revd VSS_IMEMORY_RSP_MAP response\n", __func__);
- if (data->payload_size && data->token == VOIP_MEM_MAP_TOKEN) {
+ if (data->payload_size < sizeof(ptr[0])) {
+ pr_err("%s: payload has invalid size[%d]\n", __func__,
+ data->payload_size);
+ return -EINVAL;
+ }
+
+ if (data->token == VOIP_MEM_MAP_TOKEN) {
ptr = data->payload;
if (ptr[0]) {
v->shmem_info.mem_handle = ptr[0];
@@ -7635,10 +7641,13 @@
pr_debug("%s: Received VSS_IVERSION_RSP_GET\n", __func__);
if (data->payload_size) {
+ min_payload_size = min_t(u32, (int)data->payload_size,
+ CVD_VERSION_STRING_MAX_SIZE);
version_rsp =
(struct vss_iversion_rsp_get_t *)data->payload;
memcpy(common.cvd_version, version_rsp->version,
- CVD_VERSION_STRING_MAX_SIZE);
+ min_payload_size);
+ common.cvd_version[min_payload_size - 1] = '\0';
pr_debug("%s: CVD Version = %s\n",
__func__, common.cvd_version);