volume: validate init payload covers per-channel config

lrgirdwo · lrgirdwo · commit 2078f8bc0b5e · 2026-06-17T14:36:10.000+01:00
Init read a per-channel config array sized by the channel count from the
init payload without checking the payload was large enough, reading past
the mailbox. Require the payload to cover the base config and all
per-channel entries.

Signed-off-by: Liam Girdwood &lt;liam.r.girdwood@linux.intel.com&gt;
diff --git a/src/audio/volume/volume_ipc4.c b/src/audio/volume/volume_ipc4.c
@@ -127,6 +127,15 @@ int volume_init(struct processing_module *mod)
 		return -EINVAL;
 	}
 
+	/* the per-channel config[] array is read below for every channel, so
+	 * the init payload must be large enough to hold them all
+	 */
+	if (cfg->size < sizeof(*vol) + channels_count * sizeof(vol->config[0])) {
+		comp_err(dev, "Invalid init payload size %zu for %u channels",
+			 cfg->size, channels_count);
+		return -EINVAL;
+	}
+
 	cd = mod_zalloc(mod, sizeof(struct vol_data));
 	if (!cd)
 		return -ENOMEM;
