Skip to content

rtnr: clamp host-supplied control element counts#10911

Open
lgirdwood wants to merge 1 commit into
thesofproject:mainfrom
lgirdwood:fix-rtnr
Open

rtnr: clamp host-supplied control element counts#10911
lgirdwood wants to merge 1 commit into
thesofproject:mainfrom
lgirdwood:fix-rtnr

Conversation

@lgirdwood

@lgirdwood lgirdwood commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Member

The SWITCH control get and set handlers looped over a host-supplied element
count while reading/writing the control channel array, which could run past
the IPC payload. Reject counts larger than SOF_IPC_MAX_CHANNELS in both
handlers before the loop.

No functional change for valid configurations.

Copilot AI review requested due to automatic review settings June 15, 2026 09:45
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds bounds-checking for host-supplied SWITCH control element counts in rtnr get/set handlers to prevent reading/writing past the IPC payload.

Changes:

  • Validate cdata->num_elems against SOF_IPC_MAX_CHANNELS in rtnr_get_config().
  • Validate cdata->num_elems against SOF_IPC_MAX_CHANNELS in rtnr_set_value().

Comment thread src/audio/rtnr/rtnr.c
Comment on lines +457 to +461
if (cdata->num_elems > SOF_IPC_MAX_CHANNELS) {
comp_err(dev, "rtnr_get_config() error: num_elems %u out of range",
cdata->num_elems);
return -EINVAL;
}

@lgirdwood lgirdwood Jun 15, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded — the behaviour is intentional rejection (a control message with more elements than channels is malformed). I consolidated the get/set changes into a single commit titled "rtnr: reject out-of-range control switch element counts" and updated the PR description to match.

Comment thread src/audio/rtnr/rtnr.c
Comment on lines +568 to +572
if (cdata->num_elems > SOF_IPC_MAX_CHANNELS) {
comp_err(dev, "rtnr_set_value() error: num_elems %u out of range",
cdata->num_elems);
return -EINVAL;
}

@lgirdwood lgirdwood Jun 15, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed — both messages now include the limit: num_elems %u > max %u (with SOF_IPC_MAX_CHANNELS).

@lrgirdwo
rtnr: reject out-of-range control switch element counts
e139d14 
The SWITCH control get and set handlers looped over a host-supplied
element count while reading/writing the control channel array, which
could run past the IPC payload. Reject counts larger than the maximum
channel count in both handlers before the loop.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
abonislawski
abonislawski reviewed Jun 15, 2026
View reviewed changes

@abonislawski abonislawski left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lgirdwood looks like there are 2 accidentally added txt files?

Comment thread src/audio/rtnr/rtnr.c

case SOF_CTRL_CMD_SWITCH:
if (cdata->num_elems > SOF_IPC_MAX_CHANNELS) {
comp_err(dev, "rtnr_get_config() error: num_elems %u > max %u",

@abonislawski abonislawski Jun 15, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"rtnr_get_config()" func name duplicate not needed

Comment thread src/audio/rtnr/rtnr.c
int32_t j;

if (cdata->num_elems > SOF_IPC_MAX_CHANNELS) {
comp_err(dev, "rtnr_set_value() error: num_elems %u > max %u",

@abonislawski abonislawski Jun 15, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"rtnr_set_value()" func name duplicate not needed

singalsu
singalsu reviewed Jun 15, 2026
View reviewed changes

@singalsu singalsu left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The alsa-info.txt and dump.txt look like accidentally included to this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@singalsu singalsu singalsu left review comments

@abonislawski abonislawski abonislawski left review comments

Copilot code review Copilot Copilot left review comments

@plbossart plbossart Awaiting requested review from plbossart plbossart is a code owner

@mmaka1 mmaka1 Awaiting requested review from mmaka1 mmaka1 is a code owner

@lbetlej lbetlej Awaiting requested review from lbetlej lbetlej is a code owner

@dbaluta dbaluta Awaiting requested review from dbaluta dbaluta is a code owner

@kv2019i kv2019i Awaiting requested review from kv2019i kv2019i is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lgirdwood @singalsu @abonislawski @lrgirdwo