From 72066d3ab6b76ae0361663d211b9f2a02ebdb44f Mon Sep 17 00:00:00 2001 From: Ajit Pandey Date: Fri, 27 Sep 2019 17:50:34 +0530 Subject: [PATCH] dsp: adsp-loader: Support dynamic size for array priv->adsp_fw_name. Current implementation allocates fixed size for array priv->adsp_fw_name but this may result in out of bound access if source adsp_fw_name_array dts property size exceed this fixed size. This patch fixes this issue by allocating priv->adsp_fw_name array with dynamic size of source array. Also fixes bytes copied in strlcpy. Change-Id: Iea031952224672c34eb7245996687985e18ef8be Signed-off-by: Ajit Pandey --- dsp/adsp-loader.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dsp/adsp-loader.c b/dsp/adsp-loader.c index ef9d92db75..aec90f539b 100644 --- a/dsp/adsp-loader.c +++ b/dsp/adsp-loader.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include #include @@ -22,7 +23,6 @@ #define SSR_RESET_CMD 1 #define IMAGE_UNLOAD_CMD 0 #define MAX_FW_IMAGES 4 -#define ADSP_FW_NAME_MAX_LENGTH 5 static ssize_t adsp_boot_store(struct kobject *kobj, struct kobj_attribute *attr, @@ -330,6 +330,7 @@ static int adsp_loader_probe(struct platform_device *pdev) int adsp_fw_cnt; u32* adsp_fw_bit_values = NULL; int i; + int fw_name_size; u32 adsp_var_idx; int ret = 0; @@ -398,12 +399,14 @@ static int adsp_loader_probe(struct platform_device *pdev) for (i = 0; i < adsp_fw_cnt; i++) { if (adsp_fw_bit_values[i] == adsp_var_idx) { + fw_name_size = strlen(adsp_fw_name_array[i]) + 1; priv->adsp_fw_name = devm_kzalloc(&pdev->dev, - ADSP_FW_NAME_MAX_LENGTH, GFP_KERNEL); + fw_name_size, + GFP_KERNEL); if (!priv->adsp_fw_name) goto wqueue; strlcpy(priv->adsp_fw_name, adsp_fw_name_array[i], - sizeof(priv->adsp_fw_name)); + fw_name_size); break; } }