diff mbox series

[1/5] ASoC: SOF: control: fix size checks for ext_bytes control .get()

Message ID 20200921110814.2910477-2-kai.vehmanen@linux.intel.com
State New
Headers show
Series ASoC: SOF: fix kcontrol size checks | expand

Commit Message

Kai Vehmanen Sept. 21, 2020, 11:08 a.m. UTC 
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>

cppcheck complains twice:

sound/soc/sof/control.c:436:2: style: Assignment of function parameter
has no effect outside the function. [uselessAssignmentArg]
 size -= sizeof(const struct snd_ctl_tlv);
 ^

sound/soc/sof/control.c:436:7: style: Variable 'size' is assigned a
value that is never used. [unreadVariable]
 size -= sizeof(const struct snd_ctl_tlv);

Somehow we dropped the checks for the size argument when upstreaming
the code, somewhere between v5 and v6.

Re-add a size check to avoid providing userspace with more data that
it asked for.

Also fix all error codes, we should return -ENOSPC instead of -EINVAL.

Fixes: c3078f5397046 ('ASoC: SOF: Add Sound Open Firmware KControl support')
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
---
 sound/soc/sof/control.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c
index 58f8c998e6af..8d499d0e331d 100644
--- a/sound/soc/sof/control.c
+++ b/sound/soc/sof/control.c
@@ -432,7 +432,9 @@  int snd_sof_bytes_ext_get(struct snd_kcontrol *kcontrol,
 	 * Decrement the limit by ext bytes header size to
 	 * ensure the user space buffer is not exceeded.
 	 */
-	size -= sizeof(const struct snd_ctl_tlv);
+	if (size < sizeof(struct snd_ctl_tlv))
+		return -ENOSPC;
+	size -= sizeof(struct snd_ctl_tlv);
 
 	/* set the ABI header values */
 	cdata->data->magic = SOF_ABI_MAGIC;
@@ -448,6 +450,10 @@  int snd_sof_bytes_ext_get(struct snd_kcontrol *kcontrol,
 
 	data_size = cdata->data->size + sizeof(const struct sof_abi_hdr);
 
+	/* make sure we don't exceed size provided by user space for data */
+	if (data_size > size)
+		return -ENOSPC;
+
 	header.numid = scontrol->cmd;
 	header.length = data_size;
 	if (copy_to_user(tlvd, &header, sizeof(const struct snd_ctl_tlv)))