[PATCH 61/74] staging: rtl8723au: Move dummy_event_callback() to rtw_mlme_ext.c

Wed May 21 14:19:34 UTC 2014

This comment is not related to your patch.

On Wed, May 21, 2014 at 09:38:25AM +0200, Jes.Sorensen at redhat.com wrote:
>  static struct fwevent wlanevents[] =
>  {
> -	{0, rtw_dummy_event_callback23a},	/*0*/
> +	{0, &dummy_event_callback},	/*0*/
>  	{0, NULL},
>  	{0, NULL},

These are called from mlme_evt_hdl23a(), that code looks like this:

drivers/staging/rtl8723au/core/rtw_mlme_ext.c
  6407  int mlme_evt_hdl23a(struct rtw_adapter *padapter, const u8 *pbuf)
  6408  {
  6409          u8 evt_code, evt_seq;
  6410          u16 evt_sz;
  6411          const struct C2HEvent_Header *c2h;
  6412          void (*event_callback)(struct rtw_adapter *dev, const u8 *pbuf);
  6413  
  6414          c2h = (struct C2HEvent_Header *)pbuf;
  6415          evt_sz = c2h->len;
  6416          evt_seq = c2h->seq;
  6417          evt_code = c2h->ID;
  6418  
  6419          /*  checking if event code is valid */
  6420          if (evt_code >= MAX_C2HEVT) {
  6421                  RT_TRACE(_module_rtl871x_cmd_c_, _drv_err_, ("\nEvent Code(%d) mismatch!\n", evt_code));
  6422                  goto _abort_event_;
  6423          }
  6424  
  6425          /*  checking if event size match the event parm size */
  6426          if ((wlanevents[evt_code].parmsize != 0) &&
  6427              (wlanevents[evt_code].parmsize != evt_sz)) {
  6428                  RT_TRACE(_module_rtl871x_cmd_c_, _drv_err_, ("\nEvent(%d) Parm Size mismatch (%d vs %d)!\n",
  6429                          evt_code, wlanevents[evt_code].parmsize, evt_sz));
  6430                  goto _abort_event_;
  6431          }
  6432  
  6433          event_callback = wlanevents[evt_code].event_callback;

There should be a check for:

		if (!event_callback)
			return H2C_SUCCESS;

Because that array is full of NULL pointers.

  6434          event_callback(padapter, pbuf + sizeof(struct C2HEvent_Header));
  6435  
  6436  _abort_event_:
  6437  
  6438          return H2C_SUCCESS;
  6439  }

I have invented a new tag called TODO-list: so I can do
`grep ^TODO-list: inbox` and find a TODO list of things to work on.

TODO-list: 2014-05-21: rtl8723au: potential NULL deref in mlme_evt_hdl23a()

regards,
dan carpenter