13 May
2016
13 May
'16
3:14 p.m.
On Fri, May 13, 2016 at 05:25:47PM +0530, Vinod Koul wrote:
- /* Get the FW pointer to derive ADSP header */
- buf = ctx->fw->data;
- adsp_hdr = (struct adsp_fw_hdr *)(buf + SKL_ADSP_FW_BIN_HDR_OFFSET);
- mod_entry = (struct adsp_module_entry *)
(buf + SKL_ADSP_FW_BIN_HDR_OFFSET + adsp_hdr->header_len);
What if we somehow managed to end up with a zero length firmware (or something smaller than these headers)?
/** we check if current pointer is larger than file size from* base value to check excceding the file while parsing*/if ((const char *)mod_entry >= buf + ctx->fw->size) {dev_err(ctx->dev,"Exceeds file bound: Entry %d Ptr %p\n",i, mod_entry);return -EIO;}
This checks the start of the entry but it still lets us read beyond the end of the file.