[media] cec-adap: prevent write to out-of-bounds array index

CEC_MSG_REPORT_PHYSICAL_ADDR can theoretically be received from
an unregistered device, but in that case the code should not attempt
to write the received physical address to the phys_addrs array.

That would be pointless since there can be multiple unregistered
devices that report a physical address. We just ignore those.

While at it, improve the dprintk since it would attempt to read
from that array as well with the same out-of-bounds problem.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

1 files changed, 8 insertions, 5 deletions

diff --git a/drivers/staging/media/cec/cec-adap.c b/drivers/staging/media/cec/cec-adap.c
index 98bdcf92a2b1..307af431aea7 100644
--- a/drivers/staging/media/cec/cec-adap.c
+++ b/drivers/staging/media/cec/cec-adap.c
@@ -1442,12 +1442,15 @@ static int cec_receive_notify(struct cec_adapter *adap, struct cec_msg *msg,
 
 	switch (msg->msg[1]) {
 	/* The following messages are processed but still passed through */
-	case CEC_MSG_REPORT_PHYSICAL_ADDR:
-		adap->phys_addrs[init_laddr] =
-			(msg->msg[2] << 8) | msg->msg[3];
-		dprintk(1, "Reported physical address %04x for logical address %d\n",
-			adap->phys_addrs[init_laddr], init_laddr);
+	case CEC_MSG_REPORT_PHYSICAL_ADDR: {
+		u16 pa = (msg->msg[2] << 8) | msg->msg[3];
+
+		if (!from_unregistered)
+			adap->phys_addrs[init_laddr] = pa;
+		dprintk(1, "Reported physical address %x.%x.%x.%x for logical address %d\n",
+			cec_phys_addr_exp(pa), init_laddr);
 		break;
+	}
 
 	case CEC_MSG_USER_CONTROL_PRESSED:
 		if (!(adap->capabilities & CEC_CAP_RC))