Commit c5003f0
ASoC: SOF: ipc-msg-injector: Cap the rmaining to count in IPC4 mode
If user space provides smaller buffer than the IPC4 reply then it is
possible that we corrupt user space memory since the IPC4 dfs_read function
is not using the count directly in copy_to_user() due to the nature of
an IPC4 message.
Cap the remaining counter to make sure that we are not writing too much to
the user space provided buffer.
Add a check also to make sure that the buffer is at least the size of the
IPC4 header.
Fixes: 066c676: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://lore.kernel.org/r/20220516092442.17027-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>1 parent dba2d5a commit c5003f0
1 file changed
Lines changed: 11 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
76 | 76 | | |
77 | 77 | | |
78 | 78 | | |
| 79 | + | |
79 | 80 | | |
80 | 81 | | |
81 | 82 | | |
82 | 83 | | |
83 | 84 | | |
84 | | - | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
85 | 90 | | |
86 | 91 | | |
87 | 92 | | |
| |||
90 | 95 | | |
91 | 96 | | |
92 | 97 | | |
| 98 | + | |
| 99 | + | |
93 | 100 | | |
94 | 101 | | |
95 | | - | |
| 102 | + | |
96 | 103 | | |
97 | 104 | | |
98 | | - | |
99 | | - | |
| 105 | + | |
| 106 | + | |
100 | 107 | | |
101 | 108 | | |
102 | 109 | | |
| |||
0 commit comments