From: Hans Verkuil Date: Thu, 30 Jun 2016 10:08:53 +0000 (-0300) Subject: [media] cec-adap: prevent write to out-of-bounds array index X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f8db65fe4336baf818dde5d226eb3d35773e2371;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [media] cec-adap: prevent write to out-of-bounds array index CEC_MSG_REPORT_PHYSICAL_ADDR can theoretically be received from an unregistered device, but in that case the code should not attempt to write the received physical address to the phys_addrs array. That would be pointless since there can be multiple unregistered devices that report a physical address. We just ignore those. While at it, improve the dprintk since it would attempt to read from that array as well with the same out-of-bounds problem. Signed-off-by: Hans Verkuil Reported-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/staging/media/cec/cec-adap.c b/drivers/staging/media/cec/cec-adap.c index 98bdcf92a2b1..307af431aea7 100644 --- a/drivers/staging/media/cec/cec-adap.c +++ b/drivers/staging/media/cec/cec-adap.c @@ -1442,12 +1442,15 @@ static int cec_receive_notify(struct cec_adapter *adap, struct cec_msg *msg, switch (msg->msg[1]) { /* The following messages are processed but still passed through */ - case CEC_MSG_REPORT_PHYSICAL_ADDR: - adap->phys_addrs[init_laddr] = - (msg->msg[2] << 8) | msg->msg[3]; - dprintk(1, "Reported physical address %04x for logical address %d\n", - adap->phys_addrs[init_laddr], init_laddr); + case CEC_MSG_REPORT_PHYSICAL_ADDR: { + u16 pa = (msg->msg[2] << 8) | msg->msg[3]; + + if (!from_unregistered) + adap->phys_addrs[init_laddr] = pa; + dprintk(1, "Reported physical address %x.%x.%x.%x for logical address %d\n", + cec_phys_addr_exp(pa), init_laddr); break; + } case CEC_MSG_USER_CONTROL_PRESSED: if (!(adap->capabilities & CEC_CAP_RC))