From f8db65fe4336baf818dde5d226eb3d35773e2371 Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Thu, 30 Jun 2016 07:08:53 -0300 Subject: [PATCH] [media] cec-adap: prevent write to out-of-bounds array index CEC_MSG_REPORT_PHYSICAL_ADDR can theoretically be received from an unregistered device, but in that case the code should not attempt to write the received physical address to the phys_addrs array. That would be pointless since there can be multiple unregistered devices that report a physical address. We just ignore those. While at it, improve the dprintk since it would attempt to read from that array as well with the same out-of-bounds problem. Signed-off-by: Hans Verkuil Reported-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab --- drivers/staging/media/cec/cec-adap.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/staging/media/cec/cec-adap.c b/drivers/staging/media/cec/cec-adap.c index 98bdcf92a2b1..307af431aea7 100644 --- a/drivers/staging/media/cec/cec-adap.c +++ b/drivers/staging/media/cec/cec-adap.c @@ -1442,12 +1442,15 @@ static int cec_receive_notify(struct cec_adapter *adap, struct cec_msg *msg, switch (msg->msg[1]) { /* The following messages are processed but still passed through */ - case CEC_MSG_REPORT_PHYSICAL_ADDR: - adap->phys_addrs[init_laddr] = - (msg->msg[2] << 8) | msg->msg[3]; - dprintk(1, "Reported physical address %04x for logical address %d\n", - adap->phys_addrs[init_laddr], init_laddr); + case CEC_MSG_REPORT_PHYSICAL_ADDR: { + u16 pa = (msg->msg[2] << 8) | msg->msg[3]; + + if (!from_unregistered) + adap->phys_addrs[init_laddr] = pa; + dprintk(1, "Reported physical address %x.%x.%x.%x for logical address %d\n", + cec_phys_addr_exp(pa), init_laddr); break; + } case CEC_MSG_USER_CONTROL_PRESSED: if (!(adap->capabilities & CEC_CAP_RC)) -- 2.11.0