diff options
| author | Bubble Fang <bubblefang@google.com> | 2023-09-01 17:18:57 +0000 |
|---|---|---|
| committer | Bubble Fang <bubblefang@google.com> | 2023-09-01 19:03:55 +0000 |
| commit | 4523f2360e370f4ec763987b61953dc01cbc68e0 (patch) | |
| tree | d5981cfc70e59deb128e505a50940e62de3174d3 | |
| parent | bd01be2bd42ebfe02a0853171e11f67c63116905 (diff) | |
| download | msm-extra-4523f2360e370f4ec763987b61953dc01cbc68e0.tar.gz | |
ASoC: msm-pcm-host-voice: Address buffer overflow in hpcm copy
Add check for the max hpcm_buf_node size before copy to avoid
buffer out of bounds issue.
Bug: 290061915
Change-Id: Ida4cd1b2f59a751458b10b9d53e50eb39f4e299c
Signed-off-by: Bubble Fang <bubblefang@google.com>
| -rw-r--r-- | asoc/msm-pcm-host-voice-v2.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/asoc/msm-pcm-host-voice-v2.c b/asoc/msm-pcm-host-voice-v2.c index 41c3982d..36728eb0 100644 --- a/asoc/msm-pcm-host-voice-v2.c +++ b/asoc/msm-pcm-host-voice-v2.c @@ -656,6 +656,11 @@ static void hpcm_copy_playback_data_from_queue(struct dai_data *dai_data, struct hpcm_buf_node, list); list_del(&buf_node->list); *len = buf_node->frame.len; + if (*len > HPCM_MAX_VOC_PKT_SIZE) { + pr_err("%s: Playback data len %d overflow\n", + __func__, *len); + return; + } memcpy((u8 *)dai_data->vocpcm_ion_buffer.kvaddr, &buf_node->frame.voc_pkt[0], buf_node->frame.len); @@ -683,6 +688,12 @@ static void hpcm_copy_capture_data_to_queue(struct dai_data *dai_data, if (dai_data->substream == NULL) return; + if (len > HPCM_MAX_VOC_PKT_SIZE) { + pr_err("%s: Copy capture data len %d overflow\n", + __func__, len); + return; + } + /* Copy out buffer packet into free_queue */ spin_lock_irqsave(&dai_data->dsp_lock, dsp_flags); |