mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-27 06:46:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

milan-avb: zero-pad oversized SET_CONTROL reply buffer to avoid stack info leak

Browse source
This commit is contained in:
hackerman-kl 2026-04-18 17:13:05 +02:00
parent b831fd857f
commit 0291895498
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
View file

@ -87,6 +87,8 @@ static int reply_control_badargs(struct aecp *aecp, const void *m, int len,
m, len);
memcpy(buf, m, len);
if (pkt_size > len)
memset(buf + len, 0, pkt_size - len);
ae_reply = (struct avb_packet_aecp_aem_setget_control *)p_reply->payload;
control_copy_payload(format, ae_reply->payload, type_sz, count);
@ -120,6 +122,9 @@ static int handle_cmd_get_control_identify(struct aecp *aecp, struct descriptor
// Idenfity only has one value element
pkt_size = sizeof(*h) + sizeof(*p_reply)+ CONTROL_LINEAR_UINT8_SIZE;
if (pkt_size > len)
memset(buf + len, 0, pkt_size - len);
control_copy_payload(desc_formats, ae_reply->payload,
CONTROL_LINEAR_UINT8_SIZE, 1);