This comment is not related to your patch.
On Wed, May 21, 2014 at 09:38:25AM +0200, jes.soren...@redhat.com wrote:
> static struct fwevent wlanevents[] =
> {
> - {0, rtw_dummy_event_callback23a}, /*0*/
> + {0, &dummy_event_callback}, /*0*/
> {0, NULL},
> {0, NULL},
These are called from mlme_evt_hdl23a(), that code looks like this:
drivers/staging/rtl8723au/core/rtw_mlme_ext.c
6407 int mlme_evt_hdl23a(struct rtw_adapter *padapter, const u8 *pbuf)
6408 {
6409 u8 evt_code, evt_seq;
6410 u16 evt_sz;
6411 const struct C2HEvent_Header *c2h;
6412 void (*event_callback)(struct rtw_adapter *dev, const u8 *pbuf);
6413
6414 c2h = (struct C2HEvent_Header *)pbuf;
6415 evt_sz = c2h->len;
6416 evt_seq = c2h->seq;
6417 evt_code = c2h->ID;
6418
6419 /* checking if event code is valid */
6420 if (evt_code >= MAX_C2HEVT) {
6421 RT_TRACE(_module_rtl871x_cmd_c_, _drv_err_, ("\nEvent
Code(%d) mismatch!\n", evt_code));
6422 goto _abort_event_;
6423 }
6424
6425 /* checking if event size match the event parm size */
6426 if ((wlanevents[evt_code].parmsize != 0) &&
6427 (wlanevents[evt_code].parmsize != evt_sz)) {
6428 RT_TRACE(_module_rtl871x_cmd_c_, _drv_err_,
("\nEvent(%d) Parm Size mismatch (%d vs %d)!\n",
6429 evt_code, wlanevents[evt_code].parmsize,
evt_sz));
6430 goto _abort_event_;
6431 }
6432
6433 event_callback = wlanevents[evt_code].event_callback;
There should be a check for:
if (!event_callback)
return H2C_SUCCESS;
Because that array is full of NULL pointers.
6434 event_callback(padapter, pbuf + sizeof(struct C2HEvent_Header));
6435
6436 _abort_event_:
6437
6438 return H2C_SUCCESS;
6439 }
I have invented a new tag called TODO-list: so I can do
`grep ^TODO-list: inbox` and find a TODO list of things to work on.
TODO-list: 2014-05-21: rtl8723au: potential NULL deref in mlme_evt_hdl23a()
regards,
dan carpenter
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
