c5003f08fe
If user space provides smaller buffer than the IPC4 reply then it is
possible that we corrupt user space memory since the IPC4 dfs_read function
is not using the count directly in copy_to_user() due to the nature of
an IPC4 message.
Cap the remaining counter to make sure that we are not writing too much to
the user space provided buffer.
Add a check also to make sure that the buffer is at least the size of the
IPC4 header.
Fixes: 066c67624d: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://lore.kernel.org/r/20220516092442.17027-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
8.5 KiB
8.5 KiB