From 2bd17f3f0d65a1271db348ee7576bdc364d7c958 Mon Sep 17 00:00:00 2001
From: Sujin Panicker <quic_spanic@quicinc.com>
Date: Thu, 23 Feb 2023 11:25:19 +0530
Subject: [PATCH] dsp: Add check for negative value size

There is a possibility where an access
to /dev/msm_audio_cal from third party
could pass negative size which would
lead to crash.
Avoid this by negative value size check.

Change-Id: Id36c5f10dccbd7d0ee85aa3310badec6815237a2
Signed-off-by: Sujin Panicker <quic_spanic@quicinc.com>
---
 dsp/audio_calibration.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dsp/audio_calibration.c b/dsp/audio_calibration.c
index a77be946a231..74a05c27b04a 100644
--- a/dsp/audio_calibration.c
+++ b/dsp/audio_calibration.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2014, 2016-2017, 2020-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 #include <linux/slab.h>
 #include <linux/fs.h>
@@ -416,7 +417,7 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,
 		pr_err("%s: Could not copy size value from user\n", __func__);
 		ret = -EFAULT;
 		goto done;
-	} else if ((size < sizeof(struct audio_cal_basic))
+	} else if ((size < 0) || (size < sizeof(struct audio_cal_basic))
 		|| (size > MAX_IOCTL_CMD_SIZE)) {
 		pr_err("%s: Invalid size sent to driver: %d, max size is %d, min size is %zd\n",
 			__func__, size, MAX_IOCTL_CMD_SIZE,