samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull-Requests Actions Pakete Projekte Releases Wiki Aktivität

Merge "dsp: afe: check for payload size before payload access"

Quellcode durchsuchen
Dieser Commit ist enthalten in:
qctecmdr
2019-04-14 23:13:54 -07:00
committet von Gerrit - the friendly Code Review server
Ursprung d14c2dc368 3325ee5475
Commit f082bd8110
1 geänderte Dateien mit 38 neuen und 7 gelöschten Zeilen
Patch-Datei herunterladen Vergleichs-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

45
dsp/q6afe.c
Datei anzeigen

@@ -400,6 +400,11 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
/* Set command specific details */
switch (opcode) {
case AFE_PORT_CMDRSP_GET_PARAM_V2:
if (payload_size < (5 * sizeof(uint32_t))) {
pr_err("%s: Error: size %d is less than expected\n",
__func__, payload_size);
return -EINVAL;
}
expected_size += sizeof(struct param_hdr_v1);
param_hdr.module_id = payload[1];
param_hdr.instance_id = INSTANCE_ID_0;
@@ -408,7 +413,17 @@ static int32_t sp_make_afe_callback(uint32_t opcode, uint32_t *payload,
data_start = &payload[4];
break;
case AFE_PORT_CMDRSP_GET_PARAM_V3:
if (payload_size < (6 * sizeof(uint32_t))) {
pr_err("%s: Error: size %d is less than expected\n",
__func__, payload_size);
return -EINVAL;
}
expected_size += sizeof(struct param_hdr_v3);
if (payload_size < expected_size) {
pr_err("%s: Error: size %d is less than expected\n",
__func__, payload_size);
return -EINVAL;
}
memcpy(&param_hdr, &payload[1], sizeof(struct param_hdr_v3));
data_start = &payload[5];
break;
@@ -597,6 +612,7 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) {
uint32_t *payload = data->payload;
uint32_t param_id;
uint32_t param_id_pos = 0;
if (!payload || (data->token >= AFE_MAX_PORTS)) {
pr_err("%s: Error: size %d payload %pK token %d\n",
@@ -605,9 +621,23 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
return -EINVAL;
}
param_id = (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3) ?
payload[3] :
payload[2];
if (rtac_make_afe_callback(data->payload,
data->payload_size))
return 0;
if (data->opcode == AFE_PORT_CMDRSP_GET_PARAM_V3)
param_id_pos = 4;
else
param_id_pos = 3;
if (data->payload_size >= param_id_pos * sizeof(uint32_t))
param_id = payload[param_id_pos - 1];
else {
pr_err("%s: Error: size %d is less than expected\n",
__func__, data->payload_size);
return -EINVAL;
}
if (param_id == AUDPROC_PARAM_ID_FFV_DOA_TRACKING_MONITOR) {
doa_tracking_mon_afe_cb_handler(data->opcode,
data->payload, data->payload_size);
@@ -615,10 +645,6 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
av_dev_drift_afe_cb_handler(data->opcode, data->payload,
data->payload_size);
} else {
if (rtac_make_afe_callback(data->payload,
data->payload_size))
return 0;
if (sp_make_afe_callback(data->opcode, data->payload,
data->payload_size))
return -EINVAL;
@@ -645,6 +671,11 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv)
payload = data->payload;
if (data->opcode == APR_BASIC_RSP_RESULT) {
if (data->payload_size < (2 * sizeof(uint32_t))) {
pr_err("%s: Error: size %d is less than expected\n",
__func__, data->payload_size);
return -EINVAL;
}
pr_debug("%s:opcode = 0x%x cmd = 0x%x status = 0x%x token=%d\n",
__func__, data->opcode,
payload[0], payload[1], data->token);