@@ -1442,12 +1442,15 @@ static int cec_receive_notify(struct cec_adapter *adap, struct cec_msg *msg,
switch (msg->msg[1]) {
/* The following messages are processed but still passed through */
- case CEC_MSG_REPORT_PHYSICAL_ADDR:
- adap->phys_addrs[init_laddr] =
- (msg->msg[2] << 8) | msg->msg[3];
- dprintk(1, "Reported physical address %04x for logical address %d\n",
- adap->phys_addrs[init_laddr], init_laddr);
+ case CEC_MSG_REPORT_PHYSICAL_ADDR: {
+ u16 pa = (msg->msg[2] << 8) | msg->msg[3];
+
+ if (!from_unregistered)
+ adap->phys_addrs[init_laddr] = pa;
+ dprintk(1, "Reported physical address %x.%x.%x.%x for logical address %d\n",
+ cec_phys_addr_exp(pa), init_laddr);
break;
+ }
case CEC_MSG_USER_CONTROL_PRESSED:
if (!(adap->capabilities & CEC_CAP_RC))
CEC_MSG_REPORT_PHYSICAL_ADDR can theoretically be received from an unregistered device, but in that case the code should not attempt to write the received physical address to the phys_addrs array. That would be pointless since there can be multiple unregistered devices that report a physical address. We just ignore those. While at it, improve the dprintk since it would attempt to read from that array as well with the same out-of-bounds problem. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/staging/media/cec/cec-adap.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)