dsp: avtimer: validate payload size before memory copyandroid-10.0.0_r0.81android-10.0.0_r0.74android-10.0.0_r0.67android-msm-coral-4.14-android10-qpr3android-msm-coral-4.14-android10

Check payload size to avoid out-of-boundary memory
access before attemptimg memory read.

Bug: 145550580
Change-Id: I94723b526449aacfe7b2fe30990fb77cdd15c5da
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/dsp/avtimer.c b/dsp/avtimer.c
index 41718ef6..af787827 100644
--- a/dsp/avtimer.c
+++ b/dsp/avtimer.c
@@ -97,6 +97,13 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
 		}
 
 		payload1 = data->payload;
+
+		if (data->payload_size < 2 * sizeof(uint32_t)) {
+			pr_err("%s: payload has invalid size %d\n",
+				__func__, data->payload_size);
+			return -EINVAL;
+		}
+
 		switch (payload1[0]) {
 		case AVCS_CMD_REMOTE_AVTIMER_RELEASE_REQUEST:
 			pr_debug("%s: Cmd = TIMER RELEASE status[0x%x]\n",
@@ -122,6 +129,11 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
 	}
 
 	case AVCS_CMD_RSP_REMOTE_AVTIMER_VOTE_REQUEST:
+		if (data->payload_size < sizeof(uint32_t)) {
+			pr_err("%s: payload has invalid size %d\n",
+				__func__, data->payload_size);
+			return -EINVAL;
+		}
 		payload1 = data->payload;
 		pr_debug("%s: RSP_REMOTE_AVTIMER_VOTE_REQUEST handle %x\n",
 			__func__, payload1[0]);