dsp: Add check for negative value size

There is a possibility where an access to /dev/msm_audio_cal from third party could pass negative size which would lead to crash. Avoid this by negative value size check. Change-Id: Id36c5f10dccbd7d0ee85aa3310badec6815237a2 Signed-off-by: Sujin Panicker <quic_spanic@quicinc.com>
2023-02-23 11:25:19 +05:30 · 2023-02-23 11:25:19 +05:30 · 2bd17f3f0d
commit 2bd17f3f0d
parent 819940c283
1 changed files with 2 additions and 1 deletions
--- a/dsp/audio_calibration.c
+++ b/dsp/audio_calibration.c
@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2014, 2016-2017, 2020-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/slab.h>
 #include <linux/fs.h>
@ -416,7 +417,7 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,
 		pr_err("%s: Could not copy size value from user\n", __func__);
 		ret = -EFAULT;
 		goto done;
-	} else if ((size < sizeof(struct audio_cal_basic))
+	} else if ((size < 0) || (size < sizeof(struct audio_cal_basic))
 		|| (size > MAX_IOCTL_CMD_SIZE)) {
 		pr_err("%s: Invalid size sent to driver: %d, max size is %d, min size is %zd\n",
 			__func__, size, MAX_IOCTL_CMD_SIZE,