[media] cec: add sanity check for msg->len

Check (and warn) if the msg->len is too long or if it is 0.

Should never happen, but just in case...

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

diff --git a/drivers/staging/media/cec/cec-adap.c b/drivers/staging/media/cec/cec-adap.c
index f184bf6..3925e0a 100644 (file)
--- a/drivers/staging/media/cec/cec-adap.c
+++ b/drivers/staging/media/cec/cec-adap.c
@@ -763,6 +763,9 @@ void cec_received_msg(struct cec_adapter *adap, struct cec_msg *msg)
        bool is_reply = false;
        bool valid_la = true;
 
+       if (WARN_ON(!msg->len || msg->len > CEC_MAX_MSG_SIZE))
+               return;
+
        mutex_lock(&adap->lock);
        msg->ts = ktime_get_ns();
        msg->rx_status = CEC_RX_STATUS_OK;