diff options
author | Ajit Pandey <ajitp@codeaurora.org> | 2019-08-26 16:06:51 +0530 |
---|---|---|
committer | Harrison Lingren <hlingren@google.com> | 2020-03-13 20:03:48 +0000 |
commit | 199e9bf5545154aca17ea59a73ddbf3a24bcf0bf (patch) | |
tree | 69d61b7fee15ca9acb933d88352dac74f6589e53 | |
parent | cab0fa61e49674d4baacafd146c630f395289b2d (diff) | |
download | msm-extra-199e9bf5545154aca17ea59a73ddbf3a24bcf0bf.tar.gz |
dsp: avtimer: validate payload size before memory copyandroid-10.0.0_r0.81android-10.0.0_r0.74android-10.0.0_r0.67android-msm-coral-4.14-android10-qpr3android-msm-coral-4.14-android10
Check payload size to avoid out-of-boundary memory
access before attemptimg memory read.
Bug: 145550580
Change-Id: I94723b526449aacfe7b2fe30990fb77cdd15c5da
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
-rw-r--r-- | dsp/avtimer.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/dsp/avtimer.c b/dsp/avtimer.c index 41718ef6..af787827 100644 --- a/dsp/avtimer.c +++ b/dsp/avtimer.c @@ -97,6 +97,13 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) } payload1 = data->payload; + + if (data->payload_size < 2 * sizeof(uint32_t)) { + pr_err("%s: payload has invalid size %d\n", + __func__, data->payload_size); + return -EINVAL; + } + switch (payload1[0]) { case AVCS_CMD_REMOTE_AVTIMER_RELEASE_REQUEST: pr_debug("%s: Cmd = TIMER RELEASE status[0x%x]\n", @@ -122,6 +129,11 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv) } case AVCS_CMD_RSP_REMOTE_AVTIMER_VOTE_REQUEST: + if (data->payload_size < sizeof(uint32_t)) { + pr_err("%s: payload has invalid size %d\n", + __func__, data->payload_size); + return -EINVAL; + } payload1 = data->payload; pr_debug("%s: RSP_REMOTE_AVTIMER_VOTE_REQUEST handle %x\n", __func__, payload1[0]); |