On Thu, Feb 14, 2019 at 08:56:42AM -0600, Pierre-Louis Bossart wrote:
> On 2/14/19 5:52 AM, Takashi Iwai wrote:
> > Pierre-Louis Bossart wrote:

> > > +		ret = snd_sof_dsp_get_reply(sdev, msg);
> > > +		if (msg->reply_size)
> > > +			memcpy(reply_data, msg->reply_data, msg->reply_size);

> > I'd add a sanity check here for avoiding a buffer overflow.
> > The reply buffer seems to be allocated in PAGE_SIZE.  Will it be more
> > than that?

> Good point, we'll check all the info returned by the DSP and see if they
> need to be range-checked or size-checked.

I think it's better to just do the range checks even if they're not
needed right now, it's safer in case someone adds bigger messages or
there's some bug that corrupts the size.