SoC: msm: Add Buffer overflow check The overflow check is required to ensure that user space data in kernel may not go beyond buffer boundary. CRs-Fixed: 563086 Signed-off-by: Asish Bhattacharya <asishb@codeaurora.org> Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org> (cherry picked from commit 7e09949355b2dac9aac8bb414037ccaca3c68d86) Signed-off-by: Pavan Chikkala <pavanc@codeaurora.org> Change-Id: I4da774740c71b97dc2e4fd16c78bf065ad457690 Signed-off-by: Pavan Chikkala <pavanc@codeaurora.org>

commit: 7984181b225432a03dc69dcdb7bfd087841e7551 [log] [tgz]
author: Mohammad Johny Shaik <mjshai@codeaurora.org> Thu Nov 27 11:36:54 2014 +0530
committer: Pavan Chikkala <pavanc@codeaurora.org> Fri Dec 05 13:14:28 2014 +0530
tree: 59d04a9ff832053d3064b1bb6a0ef14f7916dc20
parent: 588a7689dd3df238a04ed14fd1453b2909a2abd8 [diff] [blame]
diff --git a/sound/soc/msm/qdsp6/q6asm.c b/sound/soc/msm/qdsp6/q6asm.c
index f566d83..36955ac 100644
--- a/sound/soc/msm/qdsp6/q6asm.c
+++ b/sound/soc/msm/qdsp6/q6asm.c

@@ -57,6 +57,7 @@
 #define OUT_BUFFER_SIZE 56
 #define IN_BUFFER_SIZE 24
 #endif
+#define FRAME_NUM   (8)
 static DEFINE_MUTEX(session_lock);
 
 /* session id: 0 reserved */
@@ -509,6 +510,9 @@
 			pr_debug("%s: buffer already allocated\n", __func__);
 			return 0;
 		}
+
+		if (bufcnt != FRAME_NUM)
+			goto fail;
 		mutex_lock(&ac->cmd_lock);
 		buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
 				GFP_KERNEL);
commit	7984181b225432a03dc69dcdb7bfd087841e7551	[log] [tgz]
author	Mohammad Johny Shaik <mjshai@codeaurora.org>	Thu Nov 27 11:36:54 2014 +0530
committer	Pavan Chikkala <pavanc@codeaurora.org>	Fri Dec 05 13:14:28 2014 +0530
tree	59d04a9ff832053d3064b1bb6a0ef14f7916dc20
parent	588a7689dd3df238a04ed14fd1453b2909a2abd8 [diff] [blame]