From 0291895498dbbe0f17651b88348505ea0dcf041e Mon Sep 17 00:00:00 2001
From: hackerman-kl <hackerman-kl@kebag-logic.com>
Date: Sat, 18 Apr 2026 17:13:05 +0200
Subject: [PATCH] milan-avb: zero-pad oversized SET_CONTROL reply buffer to
 avoid stack info leak

---
 .../module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c b/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
index 1b1ce2b8c..7891782ff 100644
--- a/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
+++ b/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
@@ -87,6 +87,8 @@ static int reply_control_badargs(struct aecp *aecp, const void *m, int len,
 			m, len);
 
 	memcpy(buf, m, len);
+	if (pkt_size > len)
+		memset(buf + len, 0, pkt_size - len);
 	ae_reply = (struct avb_packet_aecp_aem_setget_control *)p_reply->payload;
 
 	control_copy_payload(format, ae_reply->payload, type_sz, count);
@@ -120,6 +122,9 @@ static int handle_cmd_get_control_identify(struct aecp *aecp, struct descriptor
 	// Idenfity only has one value element
 	pkt_size = sizeof(*h) + sizeof(*p_reply)+ CONTROL_LINEAR_UINT8_SIZE;
 
+	if (pkt_size > len)
+		memset(buf + len, 0, pkt_size - len);
+
 	control_copy_payload(desc_formats, ae_reply->payload,
 					CONTROL_LINEAR_UINT8_SIZE, 1);