From 56ff68b1f93eaf22e5e0284648fd862dc08c9236 Mon Sep 17 00:00:00 2001 From: Mohammad Johny Shaik Date: Thu, 12 Dec 2013 14:26:42 +0530 Subject: Asoc:msm:Added Buffer overflow check The overflow check is required to ensure that user space data in kernel may not go beyond buffer boundary. Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1 CRs-Fixed: 563086 Signed-off-by: Mohammad Johny Shaik --- arch/arm/mach-msm/qdsp6v2/audio_utils.c | 6 ++++++ sound/soc/msm/qdsp6v2/q6asm.c | 3 +++ 2 files changed, 9 insertions(+) diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils.c b/arch/arm/mach-msm/qdsp6v2/audio_utils.c index 2a245f8..b8e55f9 100644 --- a/arch/arm/mach-msm/qdsp6v2/audio_utils.c +++ b/arch/arm/mach-msm/qdsp6v2/audio_utils.c @@ -23,6 +23,7 @@ #include #include "audio_utils.h" +#define FRAME_SIZE (1 + ((1536+sizeof(struct meta_out_dsp)) * 5)) static int audio_in_pause(struct q6audio_in *audio) { int rc; @@ -258,6 +259,11 @@ long audio_in_ioctl(struct file *file, rc = -EINVAL; break; } + if ((cfg.buffer_size > FRAME_SIZE) || + (cfg.buffer_count != FRAME_NUM)) { + rc = -EINVAL; + break; + } audio->str_cfg.buffer_size = cfg.buffer_size; audio->str_cfg.buffer_count = cfg.buffer_count; rc = q6asm_audio_client_buf_alloc(OUT, audio->ac, diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c index 82b92aa9..09c40d6 100644 --- a/sound/soc/msm/qdsp6v2/q6asm.c +++ b/sound/soc/msm/qdsp6v2/q6asm.c @@ -55,6 +55,7 @@ #define READDONE_IDX_FLAGS 8 #define READDONE_IDX_NUMFRAMES 9 #define READDONE_IDX_SEQ_ID 10 +#define FRAME_NUM (8) /* TODO, combine them together */ static DEFINE_MUTEX(session_lock); @@ -608,6 +609,8 @@ int q6asm_audio_client_buf_alloc(unsigned int dir, pr_debug("%s: buffer already allocated\n", __func__); return 0; } + if (bufcnt != FRAME_NUM) + goto fail; mutex_lock(&ac->cmd_lock); buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt), GFP_KERNEL); -- cgit v1.1