Skip to content

tools: ctl: bound csv data write against abi header size#10977

Open
jmestwa-coder wants to merge 1 commit into
thesofproject:mainfrom
jmestwa-coder:ctl-csv-abi-bound
Open

tools: ctl: bound csv data write against abi header size#10977
jmestwa-coder wants to merge 1 commit into
thesofproject:mainfrom
jmestwa-coder:ctl-csv-abi-bound

Conversation

@jmestwa-coder

Copy link
Copy Markdown
Contributor

ascii csv input in read_setup() overflows the tlv buffer with -r:

  • with -r (no_abi) the data write index starts past the 32-byte sof_abi_hdr
  • the per-value guard still checks n < n_max, where n_max is the unpadded ctrl_size
  • the binary branch reads only n_max - abi_size, the csv branch does not match it
  • a csv file with ctrl_size/4 values writes sizeof(struct sof_abi_hdr) bytes past the heap buffer

Bounded the csv write with n < n_max - abi_size like the binary branch.

The ascii csv branch of read_setup() advances the write index past the
32-byte abi header for -r (no_abi) input but still bounds each write with
n < n_max, while the binary branch stops at n_max - abi_size. A csv tuning
file with ctrl_size/4 values then writes sizeof(struct sof_abi_hdr) bytes
past the end of the tlv buffer. Bound the csv write the same way.

Signed-off-by: Syed Mohammed Nayyar <jmestwa@gmail.com>
@jmestwa-coder jmestwa-coder requested a review from singalsu as a code owner July 3, 2026 18:58
@sofci

sofci commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Can one of the admins verify this patch?

reply test this please to run this test once

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants