summaryrefslogtreecommitdiff
path: root/sound
diff options
context:
space:
mode:
authorPeter Ujfalusi <peter.ujfalusi@linux.intel.com>2023-03-07 13:49:17 +0200
committerMark Brown <broonie@kernel.org>2023-03-07 13:57:55 +0000
commit989a3e4479177d0f4afab8be1960731bc0ffbbd0 (patch)
treecabc329c4a89426482fda1aebf33a58bbfa1b3ea /sound
parent38d408f5b1250d56f8a19d2f2ff65aa8c7b93ff4 (diff)
ASoC: SOF: ipc3: Check for upper size limit for the received message
The sof_ipc3_rx_msg() checks for minimum size of a new rx message but it is missing the check for upper limit. Corrupted or compromised firmware might be able to take advantage of this to cause out of bounds reads outside of the message area. Reported-by: Curtis Malainey <cujomalainey@chromium.org> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Reviewed-by: Curtis Malainey <curtis@malainey.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Link: https://lore.kernel.org/r/20230307114917.5124-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'sound')
-rw-r--r--sound/soc/sof/ipc3.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c
index 3de64ea2dc9a..4493bbd7faf1 100644
--- a/sound/soc/sof/ipc3.c
+++ b/sound/soc/sof/ipc3.c
@@ -970,8 +970,9 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev)
return;
}
- if (hdr.size < sizeof(hdr)) {
- dev_err(sdev->dev, "The received message size is invalid\n");
+ if (hdr.size < sizeof(hdr) || hdr.size > SOF_IPC_MSG_MAX_SIZE) {
+ dev_err(sdev->dev, "The received message size is invalid: %u\n",
+ hdr.size);
return;
}