From b44d5f71da7d2c44a7575376c582f9f1cde1cf6d Mon Sep 17 00:00:00 2001
From: Ben Romberger <bromberg@codeaurora.org>
Date: Wed, 3 Apr 2013 16:20:18 -0700
Subject: ASoC: msm: Add size safety check to ACDB driver

Check that the size sent by userspace is not larger
then the internal amount allowed. This protects
against overflowing the stack due to an invalid size.

Change-Id: I4a5b5ca5212bea32b671027d68a66367c5d4c4e7
CRs-fixed: 470222
Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
---
 sound/soc/msm/qdsp6v2/audio_acdb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/msm/qdsp6v2/audio_acdb.c b/sound/soc/msm/qdsp6v2/audio_acdb.c
index 16d6e81c..b2a469b 100644
--- a/sound/soc/msm/qdsp6v2/audio_acdb.c
+++ b/sound/soc/msm/qdsp6v2/audio_acdb.c
@@ -1064,7 +1064,7 @@ static long acdb_ioctl(struct file *f,
 		goto done;
 	}
 
-	if (size <= 0) {
+	if ((size <= 0) || (size > sizeof(data))) {
 		pr_err("%s: Invalid size sent to driver: %d\n",
 			__func__, size);
 		result = -EFAULT;
-- 
cgit v1.1