ASoC: topology: Add header payload_size verification

Add sanity check to make sure the data is read within file boundary. Helps in situations where file is only partially copied or malformed. Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com> Link: https://lore.kernel.org/r/20211015161257.27052-3-cezary.rojewski@intel.comSigned-off-by: Mark Brown <broonie@kernel.org>

ASoC: topology: Add header payload_size verification
Add sanity check to make sure the data is read within file boundary. Helps in situations where file is only partially copied or malformed. Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com> Link: https://lore.kernel.org/r/20211015161257.27052-3-cezary.rojewski@intel.comSigned-off-by: Mark Brown <broonie@kernel.org>
86e2d14b · Cezary Rojewski · Mark Brown · 7db53c21 · 86e2d14b
Commit 86e2d14b authored Oct 15, 2021 by Cezary Rojewski Committed by Mark Brown Oct 29, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

sound/soc/soc-topology.c sound/soc/soc-topology.c +9 -0

No files found.
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -2438,6 +2438,7 @@ static int soc_tplg_manifest_load(struct soc_tplg *tplg,
 		_manifest = manifest;
 	} else {
 		abi_match = false;
 		ret = manifest_new_ver(tplg, manifest, &_manifest);
 		if (ret < 0)
 			return ret;
@@ -2468,6 +2469,14 @@ static int soc_valid_header(struct soc_tplg *tplg,
 		return -EINVAL;
 	}
+	if (soc_tplg_get_hdr_offset(tplg) + hdr->payload_size >= tplg->fw->size) {
+		dev_err(tplg->dev,
+			"ASoC: invalid header of type %d at offset %ld payload_size %d\n",
+			le32_to_cpu(hdr->type), soc_tplg_get_hdr_offset(tplg),
+			hdr->payload_size);
+		return -EINVAL;
+	}
 	/* big endian firmware objects not supported atm */
 	if (le32_to_cpu(hdr->magic) == SOC_TPLG_MAGIC_BIG_ENDIAN) {
 		dev_err(tplg->dev,