copier: validate ipc gateway config length covers the blob

The IPC gateway path read a config blob from the gateway data without
checking the declared config length covered it, over-reading the mailbox
tail. Reject a config length too small for the gateway config header and
blob.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

src/audio/copier/copier_ipcgtw.c

@@ -223,6 +223,17 @@ __cold int copier_ipcgtw_create(struct processing_module *mod,
 		return -EINVAL;
 	}
 
+	/* config_length is in dwords; make sure it covers the gateway config
+	 * header and the full blob read below before dereferencing it
+	 */
+	if ((size_t)gtw_cfg->config_length * sizeof(uint32_t) <
+	    sizeof(struct ipc4_gateway_config_data) +
+	    sizeof(struct ipc4_ipc_gateway_config_blob)) {
+		comp_err(dev, "ipc4_gateway_config_data too small: %u",
+			 gtw_cfg->config_length);
+		return -EINVAL;
+	}
+
 	cd->ipc_gtw = true;
 
 	/* The IPC gateway is treated as a host gateway */