From 145c630b36e8420dd4fa80e174ab95d07afe2b48 Mon Sep 17 00:00:00 2001 From: Karthikeyan Mani Date: Tue, 3 Jan 2017 14:12:28 -0800 Subject: [PATCH] ASoC: msm: qdsp6v2: Fix out-of-bounds access in put functions Add out of bounds check in routing put functions for the mux value before accessing the texts pointer of soc_enum struct with mux as index. CRs-fixed: 1097569 Change-Id: If1161ea918680deacc0d322d11f42637f377a9ab Signed-off-by: Karthikeyan Mani --- sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c index 9164475386ff..b5570e47eae3 100644 --- a/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c +++ b/sound/soc/msm/qdsp6v2/msm-pcm-routing-v2.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1821,6 +1821,11 @@ static int msm_routing_lsm_mux_put(struct snd_kcontrol *kcontrol, int lsm_port = AFE_PORT_ID_SLIMBUS_MULTI_CHAN_5_TX; struct snd_soc_dapm_update *update = NULL; + if (mux >= e->items) { + pr_err("%s: Invalid mux value %d\n", __func__, mux); + return -EINVAL; + } + pr_debug("%s: LSM enable %ld\n", __func__, ucontrol->value.integer.value[0]); switch (ucontrol->value.integer.value[0]) { @@ -2144,6 +2149,11 @@ static int msm_routing_ec_ref_rx_put(struct snd_kcontrol *kcontrol, struct soc_enum *e = (struct soc_enum *)kcontrol->private_value; struct snd_soc_dapm_update *update = NULL; + if (mux >= e->items) { + pr_err("%s: Invalid mux value %d\n", __func__, mux); + return -EINVAL; + } + mutex_lock(&routing_lock); switch (ucontrol->value.integer.value[0]) { case 0: @@ -2312,6 +2322,11 @@ static int msm_routing_ext_ec_put(struct snd_kcontrol *kcontrol, uint16_t ext_ec_ref_port_id; struct snd_soc_dapm_update *update = NULL; + if (mux >= e->items) { + pr_err("%s: Invalid mux value %d\n", __func__, mux); + return -EINVAL; + } + mutex_lock(&routing_lock); msm_route_ext_ec_ref = ucontrol->value.integer.value[0];