mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-28 06:46:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

milan-avb: bound packet copy length in get-set-control handlers

Browse source
This commit is contained in:
hackerman-kl 2026-04-16 19:50:33 +02:00
parent f06234fda8
commit b831fd857f
1 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
View file

@ -3,6 +3,7 @@
/* SPDX-FileCopyrightText: Copyright © 2026 Alexandre Malki <alexandre.malki@kebag-logic.com> */ /* SPDX-FileCopyrightText: Copyright © 2026 Alexandre Malki <alexandre.malki@kebag-logic.com> */
/* SPDX-License-Identifier: MIT */ /* SPDX-License-Identifier: MIT */
#include <errno.h>
#include <limits.h> #include <limits.h>
#include <inttypes.h> #include <inttypes.h>
#include <stdbool.h> #include <stdbool.h>
@ -44,6 +45,9 @@ static int send_unsol_control_milan_v12(struct aecp *aecp,
struct aecp_aem_base_info info = { 0 }; struct aecp_aem_base_info info = { 0 };
int rc = 0; int rc = 0;
if (len > sizeof(unsol_buf))
return -EINVAL;
memcpy(unsol_buf, m, len); memcpy(unsol_buf, m, len);
/* Prepare a template packet */ /* Prepare a template packet */
info.controller_entity_id = htobe64(ctrler_id); info.controller_entity_id = htobe64(ctrler_id);
@ -78,6 +82,10 @@ static int reply_control_badargs(struct aecp *aecp, const void *m, int len,
m, len); m, len);
} }
if (len < 0 || (size_t)len > sizeof(buf))
return reply_status(aecp, AVB_AECP_AEM_STATUS_BAD_ARGUMENTS,
m, len);
memcpy(buf, m, len); memcpy(buf, m, len);
ae_reply = (struct avb_packet_aecp_aem_setget_control *)p_reply->payload; ae_reply = (struct avb_packet_aecp_aem_setget_control *)p_reply->payload;
@ -102,6 +110,10 @@ static int handle_cmd_get_control_identify(struct aecp *aecp, struct descriptor
ctrl_desc = desc->ptr; ctrl_desc = desc->ptr;
desc_formats = ctrl_desc->value_format; desc_formats = ctrl_desc->value_format;
if (len < 0 || (size_t)len > sizeof(buf))
return reply_status(aecp, AVB_AECP_AEM_STATUS_BAD_ARGUMENTS,
m, len);
memcpy(buf, m, len); memcpy(buf, m, len);
ae_reply = (struct avb_packet_aecp_aem_setget_control *)p_reply->payload; ae_reply = (struct avb_packet_aecp_aem_setget_control *)p_reply->payload;