Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

dsp: avtimer: validate payload size before memory copy 

Check payload size to avoid out-of-boundary memory
access before attemptimg memory read.

Change-Id: I94723b526449aacfe7b2fe30990fb77cdd15c5da
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
This commit is contained in:
Ajit Pandey 2019-08-26 16:06:51 +05:30 committed by L R
parent b318271a8b
commit adbb23f73a
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
drivers/platform/msm/avtimer.c
View File

@ -1,4 +1,4 @@
/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
/* Copyright (c) 2012-2016, 2019, The Linux Foundation. All rights reserved.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -91,6 +91,13 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
}
payload1 = data->payload;
if (data->payload_size < 2 * sizeof(uint32_t)) {
pr_err("%s: payload has invalid size %d\n",
__func__, data->payload_size);
return -EINVAL;
}
switch (payload1[0]) {
case AVCS_CMD_REMOTE_AVTIMER_RELEASE_REQUEST:
pr_debug("%s: Cmd = TIMER RELEASE status[0x%x]\n",
@ -116,6 +123,11 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
}
case AVCS_CMD_RSP_REMOTE_AVTIMER_VOTE_REQUEST:
if (data->payload_size < sizeof(uint32_t)) {
pr_err("%s: payload has invalid size %d\n",
__func__, data->payload_size);
return -EINVAL;
}
payload1 = data->payload;
pr_debug("%s: RSP_REMOTE_AVTIMER_VOTE_REQUEST handle %x\n",
__func__, payload1[0]);