diff options
author | Karthik Reddy Katta <a_katta@codeaurora.org> | 2017-01-03 11:09:05 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-01-15 20:20:02 -0800 |
commit | 1673c4655d020fc9be4eb71bca28975d5c7ca7c7 (patch) | |
tree | ccf7d0cf84b10fad1bd1640493ef36f47ef24ba0 /sound | |
parent | 242e8667ed0a2aa1a4de41d61555e2a62cbe6e8f (diff) |
drivers: soc: qcom: Add overflow check in ADM driver
Add overflow check for param length to prevent
heap overflow while allocating memory for
ADM parameters.
CRs-Fixed: 1103334
Change-Id: I1163aeaabbc84dba4cd0739a35ecbdee18b42717
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
Diffstat (limited to 'sound')
-rw-r--r-- | sound/soc/msm/qdsp6v2/q6adm.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6adm.c b/sound/soc/msm/qdsp6v2/q6adm.c index 04eafdb240f2..163ebf1a18cf 100644 --- a/sound/soc/msm/qdsp6v2/q6adm.c +++ b/sound/soc/msm/qdsp6v2/q6adm.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -978,9 +978,10 @@ int adm_get_params_v2(int port_id, int copp_idx, uint32_t module_id, char *params, uint32_t client_id) { struct adm_cmd_get_pp_params_v5 *adm_params = NULL; - int sz, rc = 0, i = 0; + int rc = 0, i = 0; int port_idx, idx; int *params_data = (int *)params; + uint64_t sz = 0; port_id = afe_convert_virtual_to_portid(port_id); port_idx = adm_validate_and_get_port_index(port_id); @@ -989,7 +990,16 @@ int adm_get_params_v2(int port_id, int copp_idx, uint32_t module_id, return -EINVAL; } - sz = sizeof(struct adm_cmd_get_pp_params_v5) + params_length; + sz = (uint64_t)sizeof(struct adm_cmd_get_pp_params_v5) + + (uint64_t)params_length; + /* + * Check if the value of "sz" (which is ultimately assigned to + * "hdr.pkt_size") crosses U16_MAX. + */ + if (sz > U16_MAX) { + pr_err("%s: Invalid params_length\n", __func__); + return -EINVAL; + } adm_params = kzalloc(sz, GFP_KERNEL); if (!adm_params) { pr_err("%s: adm params memory alloc failed", __func__); |