[media] cec: add sanity check for msg->len

Check (and warn) if the msg->len is too long or if it is 0.

Should never happen, but just in case...

Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>

diff --git a/drivers/staging/media/cec/cec-adap.c b/drivers/staging/media/cec/cec-adap.c
index f184bf6945cc667a77ccd717527eba57a52a99a0..3925e0ae62a5b8247268726643f6f36fe350b409 100644 (file)
--- a/drivers/staging/media/cec/cec-adap.c
+++ b/drivers/staging/media/cec/cec-adap.c
@@ -763,6 +763,9 @@ void cec_received_msg(struct cec_adapter *adap, struct cec_msg *msg)
        bool is_reply = false;
        bool valid_la = true;
 
+       if (WARN_ON(!msg->len || msg->len > CEC_MAX_MSG_SIZE))
+               return;
+
        mutex_lock(&adap->lock);
        msg->ts = ktime_get_ns();
        msg->rx_status = CEC_RX_STATUS_OK;