ipc4: helper: guard TLV loop against NULL from tlv_next()

abonislawski · abonislawski · commit b06121a08468 · 2026-05-15T10:46:06.000+02:00
Add 'tlvs &amp;&amp;' to the for-loop condition in ipc4_find_dma_config_multiple().
tlv_next() returns NULL on malformed TLV (length not a multiple of 4).
The existing loop condition '(uint32_t)tlvs &lt; end_addr' does not catch
NULL (0 &lt; end_addr is always true), causing a NULL pointer dereference
in the next iteration via tlv_value_ptr_get() or tlv_next().

Signed-off-by: Adrian Bonislawski &lt;adrian.bonislawski@intel.com&gt;
diff --git a/src/ipc/ipc4/helper.c b/src/ipc/ipc4/helper.c
@@ -1307,7 +1307,7 @@ int ipc4_find_dma_config_multiple(struct ipc_config_dai *dai, uint8_t *data_buff
 	struct ipc_dma_config *dma_cfg;
 	struct sof_tlv *tlvs;
 
-	for (tlvs = (struct sof_tlv *)data_buffer; (uint32_t)tlvs < end_addr;
+	for (tlvs = (struct sof_tlv *)data_buffer; tlvs && (uint32_t)tlvs < end_addr;
 	     tlvs = tlv_next(tlvs)) {
 		dma_cfg = tlv_value_ptr_get(tlvs, GTW_DMA_CONFIG_ID);
 		if (!dma_cfg)
