copier: bound gateway config length to init payload size

lrgirdwo · lrgirdwo · commit e75b60f25d6b · 2026-06-11T14:40:46.000+01:00
The gateway configuration length from the init payload was multiplied
and used as a copy length from the mailbox without checking it against
the actual payload size. Reject a configuration that would read past the
init payload.

Signed-off-by: Liam Girdwood &lt;liam.r.girdwood@linux.intel.com&gt;
diff --git a/src/audio/copier/copier.c b/src/audio/copier/copier.c
@@ -147,6 +147,16 @@ __cold static int copier_init(struct processing_module *mod)
 		cfg_total_size += gtw_cfg_var_size;
 	}
 
+	/*
+	 * gtw_cfg.config_length is host-controlled; make sure the resulting
+	 * copy length does not read past the init payload in the mailbox.
+	 */
+	if (md->cfg.size && cfg_total_size > md->cfg.size) {
+		comp_err(dev, "copier_init(): cfg size %zu exceeds init payload %zu",
+			 cfg_total_size, md->cfg.size);
+		return -EINVAL;
+	}
+
 	cd = mod_zalloc(mod, sizeof(*cd) + gtw_cfg_var_size);
 	if (!cd)
 		return -ENOMEM;
