Tools: Testbench: Fix bytes control data validation in tb_send_bytes_data

singalsu · lgirdwood · commit d2145086b075 · 2026-03-27T12:40:21.000Z
The change in removing bytes control blob in module init() triggered
an issue in sof-testbench4. It resulted in valgrind fail with
scripts/host-testbench.sh run with error "Invalid read of size 1" in
"memcpy(msg + sizeof(config), (char *)abi-&gt;data + offset, chunk_size)".
The invalid read happens when abi-&gt;data doesn't have chunk_size bytes
available.

The fix is to skip bytes controls with no private data to avoid
reading garbage abi-&gt;size from adjacent topology buffer data, which
causes invalid memory reads in tb_send_bytes_data().

Signed-off-by: Seppo Ingalsuo &lt;seppo.ingalsuo@linux.intel.com&gt;
diff --git a/tools/testbench/topology_ipc4.c b/tools/testbench/topology_ipc4.c
@@ -1286,6 +1286,7 @@ static int tb_kcontrol_cb_new(struct snd_soc_tplg_ctl_hdr *tplg_ctl,
 	struct snd_soc_tplg_mixer_control *tplg_mixer;
 	struct snd_soc_tplg_enum_control *tplg_enum;
 	struct snd_soc_tplg_bytes_control *tplg_bytes;
+	struct sof_abi_hdr *abi;
 
 	if (glb->num_ctls >= TB_MAX_CTLS) {
 		fprintf(stderr, "Error: Too many controls already.\n");
@@ -1358,7 +1359,26 @@ static int tb_kcontrol_cb_new(struct snd_soc_tplg_ctl_hdr *tplg_ctl,
 				tplg_bytes->priv.size);
 			return -EINVAL;
 		}
-		ctl->data = tplg_bytes->priv.data;
+
+		if (tplg_bytes->priv.size >= sizeof(struct sof_abi_hdr)) {
+			abi = (struct sof_abi_hdr *)tplg_bytes->priv.data;
+			if (abi->size > TB_MAX_BYTES_DATA_SIZE) {
+				fprintf(stderr,
+					"Error: ABI payload size %u exceeds max %d\n",
+					abi->size, TB_MAX_BYTES_DATA_SIZE);
+				return -EINVAL;
+			}
+			if (tplg_bytes->priv.size <
+			    sizeof(struct sof_abi_hdr) + abi->size) {
+				fprintf(stderr,
+					"Error: bytes data size %d is smaller than ABI header + payload (%zu + %u)\n",
+					tplg_bytes->priv.size,
+					sizeof(struct sof_abi_hdr), abi->size);
+				return -EINVAL;
+			}
+			ctl->data = tplg_bytes->priv.data;
+		}
+
 		ctl->comp_info = comp_info;
 		strncpy(ctl->name, tplg_ctl->name, TB_MAX_CTL_NAME_CHARS);
 		break;
diff --git a/tools/testbench/utils_ipc4.c b/tools/testbench/utils_ipc4.c
@@ -290,7 +290,8 @@ static int tb_set_up_widget(struct testbench_prm *tp, struct tplg_comp_info *com
 		/* send the bytes data from kcontrols associated with current widget */
 		if (ctl->module_id != comp_info->module_id ||
 		    ctl->instance_id != comp_info->instance_id ||
-		    ctl->type != SND_SOC_TPLG_TYPE_BYTES)
+		    ctl->type != SND_SOC_TPLG_TYPE_BYTES ||
+		    !ctl->data)
 			continue;
 
 		abi = (struct sof_abi_hdr *)ctl->data;
