|
|
@@ -400,6 +400,11 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
|
|
|
/* Set command specific details */
|
|
|
switch (opcode) {
|
|
|
case AFE_PORT_CMDRSP_GET_PARAM_V2:
|
|
|
+ if (payload_size < (5 * sizeof(uint32_t))) {
|
|
|
+ pr_err("%s: Error: size %d is less than expected\n",
|
|
|
+ __func__, payload_size);
|
|
|
+ return -EINVAL;
|
|
|
+ }
|
|
|
expected_size += sizeof(struct param_hdr_v1);
|
|
|
param_hdr.module_id = payload[1];
|
|
|
param_hdr.instance_id = INSTANCE_ID_0;
|
|
|
@@ -408,7 +413,17 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
|
|
|
data_start = &payload[4];
|
|
|
break;
|
|
|
case AFE_PORT_CMDRSP_GET_PARAM_V3:
|
|
|
+ if (payload_size < (6 * sizeof(uint32_t))) {
|
|
|
+ pr_err("%s: Error: size %d is less than expected\n",
|
|
|
+ __func__, payload_size);
|
|
|
+ return -EINVAL;
|
|
|
+ }
|
|
|
expected_size += sizeof(struct param_hdr_v3);
|
|
|
+ if (payload_size < expected_size) {
|
|
|
+ pr_err("%s: Error: size %d is less than expected\n",
|
|
|
+ __func__, payload_size);
|
|
|
+ return -EINVAL;
|
|
|
+ }
|
|
|
memcpy(¶m_hdr, &payload[1], sizeof(struct param_hdr_v3));
|
|
|
data_start = &payload[5];
|
|
|
break;
|
|
|
@@ -597,6 +612,7 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
|
|
|
data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) {
|
|
|
uint32_t *payload = data->payload;
|
|
|
uint32_t param_id;
|
|
|
+ uint32_t param_id_pos = 0;
|
|
|
|
|
|
if (!payload || (data->token >= AFE_MAX_PORTS)) {
|
|
|
pr_err("%s: Error: size %d payload %pK token %d\n",
|
|
|
@@ -605,9 +621,23 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
|
|
|
return -EINVAL;
|
|
|
}
|
|
|
|
|
|
- param_id = (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) ?
|
|
|
- payload[3] :
|
|
|
- payload[2];
|
|
|
+ if (rtac_make_afe_callback(data->payload,
|
|
|
+ data->payload_size))
|
|
|
+ return 0;
|
|
|
+
|
|
|
+ if (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3)
|
|
|
+ param_id_pos = 4;
|
|
|
+ else
|
|
|
+ param_id_pos = 3;
|
|
|
+
|
|
|
+ if (data->payload_size >= param_id_pos * sizeof(uint32_t))
|
|
|
+ param_id = payload[param_id_pos - 1];
|
|
|
+ else {
|
|
|
+ pr_err("%s: Error: size %d is less than expected\n",
|
|
|
+ __func__, data->payload_size);
|
|
|
+ return -EINVAL;
|
|
|
+ }
|
|
|
+
|
|
|
if (param_id == AUDPROC_PARAM_ID_FFV_DOA_TRACKING_MONITOR) {
|
|
|
doa_tracking_mon_afe_cb_handler(data->opcode,
|
|
|
data->payload, data->payload_size);
|
|
|
@@ -615,10 +645,6 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
|
|
|
av_dev_drift_afe_cb_handler(data->opcode, data->payload,
|
|
|
data->payload_size);
|
|
|
} else {
|
|
|
- if (rtac_make_afe_callback(data->payload,
|
|
|
- data->payload_size))
|
|
|
- return 0;
|
|
|
-
|
|
|
if (sp_make_afe_callback(data->opcode, data->payload,
|
|
|
data->payload_size))
|
|
|
return -EINVAL;
|
|
|
@@ -645,6 +671,11 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
|
|
|
|
|
|
payload = data->payload;
|
|
|
if (data->opcode == APR_BASIC_RSP_RESULT) {
|
|
|
+ if (data->payload_size < (2 * sizeof(uint32_t))) {
|
|
|
+ pr_err("%s: Error: size %d is less than expected\n",
|
|
|
+ __func__, data->payload_size);
|
|
|
+ return -EINVAL;
|
|
|
+ }
|
|
|
pr_debug("%s:opcode = 0x%x cmd = 0x%x status = 0x%x token=%d\n",
|
|
|
__func__, data->opcode,
|
|
|
payload[0], payload[1], data->token);
|
Karthikeyan Mani