dsp: adsp-loader: Support dynamic size for array priv->adsp_fw_name.

Current implementation allocates fixed size for array priv->adsp_fw_name but this may result in out of bound access if source adsp_fw_name_array dts property size exceed this fixed size. This patch fixes this issue by allocating priv->adsp_fw_name array with dynamic size of source array. Also fixes bytes copied in strlcpy. Change-Id: Iea031952224672c34eb7245996687985e18ef8be Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
2019-09-27 17:50:34 +05:30
parent 50caff1bd9
commit 72066d3ab6
1 changed files with 6 additions and 3 deletions
--- a/dsp/adsp-loader.c
+++ b/dsp/adsp-loader.c
@@ -7,6 +7,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/err.h>
+#include <linux/string.h>
 #include <linux/delay.h>
 #include <linux/platform_device.h>
 #include <ipc/apr.h>
@@ -22,7 +23,6 @@
 #define SSR_RESET_CMD 1
 #define IMAGE_UNLOAD_CMD 0
 #define MAX_FW_IMAGES 4
-#define ADSP_FW_NAME_MAX_LENGTH 5

 static ssize_t adsp_boot_store(struct kobject *kobj,
 	struct kobj_attribute *attr,
@@ -330,6 +330,7 @@ static int adsp_loader_probe(struct platform_device *pdev)
 	int adsp_fw_cnt;
 	u32* adsp_fw_bit_values = NULL;
 	int i;
+	int fw_name_size;
 	u32 adsp_var_idx;
 	int ret = 0;

@@ -398,12 +399,14 @@ static int adsp_loader_probe(struct platform_device *pdev)

 	for (i = 0; i < adsp_fw_cnt; i++) {
 		if (adsp_fw_bit_values[i] == adsp_var_idx) {
+			fw_name_size = strlen(adsp_fw_name_array[i]) + 1;
 			priv->adsp_fw_name = devm_kzalloc(&pdev->dev,
-					ADSP_FW_NAME_MAX_LENGTH, GFP_KERNEL);
+						fw_name_size,
+						GFP_KERNEL);
 			if (!priv->adsp_fw_name)
 				goto wqueue;
 			strlcpy(priv->adsp_fw_name, adsp_fw_name_array[i],
-				sizeof(priv->adsp_fw_name));
+				fw_name_size);
 			break;
 		}
 	}