Google Git
Sign in
android / platform / external / adhd / 4f59716f43cebdbb5ee21d5dc01a742bbb899190^! / .
commit4f59716f43cebdbb5ee21d5dc01a742bbb899190[log] [tgz]
authorJudy Hsiao <judyhsiao@google.com>Tue Jan 26 15:46:22 2021 +0800
committerCommit Bot <commit-bot@chromium.org>Thu Jan 28 20:49:57 2021 +0000
tree1e160694ca56fd76c49d19634948bae246508707
parent8a6882f2f8e63d7422e567470858d33e2a01285b [diff]
cros_asla: Update the TLV length check rule

tlv_buf[Self::LEN_OFFSET] should be less than the buffer length read by
snd_ctl_elem_tlv_read. snd_ctl_elem_tlv_read reads the max allowed
payload sized of the binary control.

BUG=b:157210111
TEST=1. cargo build
     2. verify the read size by `/sbin/initctl start sound_card_init \
	SOUND_CARD_ID=sofrt5682`

Change-Id: I6f5ed13f52d7b2cdfa75e9d1b2dbd7075638fb90
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/adhd/+/2652265
Commit-Queue: Judy Hsiao <judyhsiao@chromium.org>
Tested-by: Judy Hsiao <judyhsiao@chromium.org>
Reviewed-by: Chih-Yang Hsia <paulhsia@chromium.org>

diff --git a/cros_alsa/src/control_tlv.rs b/cros_alsa/src/control_tlv.rs
index 4041d9b..e1f3551 100644
--- a/cros_alsa/src/control_tlv.rs
+++ b/cros_alsa/src/control_tlv.rs

@@ -164,7 +164,8 @@
 
     /// Constructs a TLV from a vector with the following alsa tlv header validation:
     ///  1 . tlv_buf[Self::LEN_OFFSET] should be multiple of size_of::<u32>
-    ///  2 . tlv_buf[Self::LEN_OFFSET] should be the length of tlv value in byte.
+    ///  2 . tlv_buf[Self::LEN_OFFSET] is the length of tlv value in byte and
+    ///      should be less than the buffer length * size_of::<u32>.
     fn try_from(data: Vec<u32>) -> Result<Self> {
         if data.len() < 2 {
             return Err(Error::InvalidTLV);
@@ -175,7 +176,7 @@
         }
 
         if data[Self::LEN_OFFSET] / size_of::<u32>() as u32
-            != data[Self::VALUE_OFFSET..].len() as u32
+            > data[Self::VALUE_OFFSET..].len() as u32
         {
             return Err(Error::InvalidTLV);
         }
@@ -283,13 +284,20 @@
     }
 
     #[test]
-    fn test_tlv_invalid_length() {
+    fn test_tlv_length_is_not_multiple_of_sizeof_int() {
         // Invalid tlv length in data[Self::LEN_OFFSET].
         let tlv_buf = vec![0, 1, 2, 3, 4];
         assert_eq!(TLV::try_from(tlv_buf).unwrap_err(), Error::InvalidTLV);
     }
 
     #[test]
+    fn test_tlv_length_larger_than_buff_size() {
+        // Invalid tlv length in data[Self::LEN_OFFSET].
+        let tlv_buf = vec![0, 16, 2, 3, 4];
+        assert_eq!(TLV::try_from(tlv_buf).unwrap_err(), Error::InvalidTLV);
+    }
+
+    #[test]
     fn test_tlv_length_less_than_two() {
         // tlv buffer length < 2
         let tlv_buf = vec![0];