ASoC: msm: Add bounds checking to ADM get params
Add additional bounds checking to ADM get params.
Validate that all buffer sizes are valid before
dereferencing.
BUG=27947307
Change-Id: Iae3643985b5b72b78606f4dff94f8068ee0ddc09
diff --git a/sound/soc/msm/qdsp6v2/q6adm.c b/sound/soc/msm/qdsp6v2/q6adm.c
index 08caf51..14565cc 100644
--- a/sound/soc/msm/qdsp6v2/q6adm.c
+++ b/sound/soc/msm/qdsp6v2/q6adm.c
@@ -508,9 +508,18 @@
rc = -EINVAL;
goto adm_get_param_return;
}
- if (params_data) {
+ if ((params_data) &&
+ (ARRAY_SIZE(adm_get_parameters) > 0) &&
+ (ARRAY_SIZE(adm_get_parameters) >= 1+adm_get_parameters[0]) &&
+ (params_length/sizeof(int) >= adm_get_parameters[0])) {
for (i = 0; i < adm_get_parameters[0]; i++)
params_data[i] = adm_get_parameters[1+i];
+ } else {
+ pr_err("%s: Get param data not copied! get_param array size %zd, index %d, params array size %zd, index %d\n",
+ __func__, ARRAY_SIZE(adm_get_parameters),
+ (1+adm_get_parameters[0]),
+ params_length/sizeof(int),
+ adm_get_parameters[0]);
}
rc = 0;
adm_get_param_return:
@@ -799,17 +808,18 @@
data->payload_size))
break;
- if (payload[0] == 0) {
- if (data->payload_size >
- (4 * sizeof(uint32_t))) {
- adm_get_parameters[0] = payload[3];
+ if ((payload[0] == 0) &&
+ (data->payload_size > (4 * sizeof(*payload))) &&
+ (data->payload_size/sizeof(*payload)-4 >= payload[3]) &&
+ (ARRAY_SIZE(adm_get_parameters) > 0) &&
+ (ARRAY_SIZE(adm_get_parameters)-1 >= payload[3])) {
+ adm_get_parameters[0] = payload[3];
pr_debug("GET_PP PARAM:received parameter length: 0x%x\n",
adm_get_parameters[0]);
/* storing param size then params */
for (i = 0; i < payload[3]; i++)
adm_get_parameters[1+i] =
payload[4+i];
- }
} else {
adm_get_parameters[0] = -1;
pr_err("%s: GET_PP_PARAMS failed, setting size to %d\n",
