On Wed, Jun 03, 2020 at 11:37:44AM +0000, Steve Lee wrote: > > This is now reading the size out of the header of the file which is good > > but it > > should also validate that the file is big enough to have this much data in > > it, > > otherwise it's possible to read beyond the end of the firmware file (eg, if > > it got > > truncated somehow). Previously the code used the size of the file read > > from disk > > so that wasn't an issue.
> Thanks for quick comment. Can this case cover by below line?
> + if (fw->size < MAX98390_DSM_PARAM_MIN_SIZE) {
> + dev_err(component->dev,
> + "param fw is invalid.\n");
> + goto err_alloc;
> + }
No, that doesn't cover all of it - the case I'm concerned about is the
case where we've got enough data for the header but the payload is
truncated. You need a check that param_size + _PAYLOAD_OFFSET is less
than fw->size as well.
signature.asc
Description: PGP signature
