From b06121a084686a68a27564b16d51cbcd75f8731e Mon Sep 17 00:00:00 2001 From: Adrian Bonislawski Date: Fri, 15 May 2026 10:33:26 +0200 Subject: [PATCH 1/2] ipc4: helper: guard TLV loop against NULL from tlv_next() Add 'tlvs &&' to the for-loop condition in ipc4_find_dma_config_multiple(). tlv_next() returns NULL on malformed TLV (length not a multiple of 4). The existing loop condition '(uint32_t)tlvs < end_addr' does not catch NULL (0 < end_addr is always true), causing a NULL pointer dereference in the next iteration via tlv_value_ptr_get() or tlv_next(). Signed-off-by: Adrian Bonislawski --- src/ipc/ipc4/helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ipc/ipc4/helper.c b/src/ipc/ipc4/helper.c index a81a75312f13..504e4a12bf90 100644 --- a/src/ipc/ipc4/helper.c +++ b/src/ipc/ipc4/helper.c @@ -1307,7 +1307,7 @@ int ipc4_find_dma_config_multiple(struct ipc_config_dai *dai, uint8_t *data_buff struct ipc_dma_config *dma_cfg; struct sof_tlv *tlvs; - for (tlvs = (struct sof_tlv *)data_buffer; (uint32_t)tlvs < end_addr; + for (tlvs = (struct sof_tlv *)data_buffer; tlvs && (uint32_t)tlvs < end_addr; tlvs = tlv_next(tlvs)) { dma_cfg = tlv_value_ptr_get(tlvs, GTW_DMA_CONFIG_ID); if (!dma_cfg) From fef310ea046419f802d4e74105943249ccfb3cc6 Mon Sep 17 00:00:00 2001 From: Adrian Bonislawski Date: Fri, 15 May 2026 12:49:49 +0200 Subject: [PATCH 2/2] tlv: guard tlv_value_get() loop against NULL from tlv_next() Add 'tlv &&' to the while-loop condition in tlv_value_get(). tlv_next() returns NULL on malformed TLV (length not a multiple of 4). The existing condition '(uint32_t)tlv < end_addr' does not catch NULL, causing a NULL dereference on the next iteration. This is reachable from host IPC via copier_host_create() which parses optional TLV data appended to the copier module configuration blob. Signed-off-by: Adrian Bonislawski --- src/include/sof/tlv.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/include/sof/tlv.h b/src/include/sof/tlv.h index 24155707dfd4..442c03a5fc69 100644 --- a/src/include/sof/tlv.h +++ b/src/include/sof/tlv.h @@ -91,7 +91,7 @@ static inline void tlv_value_get(const void *data, const struct sof_tlv *tlv = (const struct sof_tlv *)data; const uint32_t end_addr = (uint32_t)data + size; - while ((uint32_t)tlv < end_addr) { + while (tlv && (uint32_t)tlv < end_addr) { if (tlv->type == type) { *value = (void *)tlv->value; *length = tlv->length;