diff mbox

mwifiex: restore handling of NULL parameters

Message ID 20110624133335.GP14591@shale.localdomain (mailing list archive)
State Not Applicable, archived
Headers show

Commit Message

Dan Carpenter June 24, 2011, 1:33 p.m. UTC
Prior to a5ffddb70c5cab "mwifiex: remove casts of void pointers" the
code assumed that the data_buf parameter could be a NULL pointer.
The patch preserved some NULL checks but not consistently, so there
was a potential for NULL dereferences and it changed the behavior.
This patch restores the original behavior.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
Compile tested only.

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Bing Zhao June 24, 2011, 7:32 p.m. UTC | #1
Hi Dan,

> Prior to a5ffddb70c5cab "mwifiex: remove casts of void pointers" the
> code assumed that the data_buf parameter could be a NULL pointer.
> The patch preserved some NULL checks but not consistently, so there
> was a potential for NULL dereferences and it changed the behavior.

Thanks for the catch!

> This patch restores the original behavior.
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>

Acked-by: Bing Zhao <bzhao@marvell.com>

Best regards,
Bing
 
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/net/wireless/mwifiex/sta_cmd.c b/drivers/net/wireless/mwifiex/sta_cmd.c
index d85a0a6..49b9c13 100644
--- a/drivers/net/wireless/mwifiex/sta_cmd.c
+++ b/drivers/net/wireless/mwifiex/sta_cmd.c
@@ -779,6 +779,8 @@  static int mwifiex_cmd_ibss_coalescing_status(struct host_cmd_ds_command *cmd,
 	case HostCmd_ACT_GEN_SET:
 		if (enable)
 			ibss_coal->enable = cpu_to_le16(*enable);
+		else
+			ibss_coal->enable = 0;
 		break;
 
 		/* In other case.. Nothing to do */
diff --git a/drivers/net/wireless/mwifiex/sta_cmdresp.c b/drivers/net/wireless/mwifiex/sta_cmdresp.c
index ad64c87..6804239 100644
--- a/drivers/net/wireless/mwifiex/sta_cmdresp.c
+++ b/drivers/net/wireless/mwifiex/sta_cmdresp.c
@@ -183,30 +183,32 @@  static int mwifiex_ret_802_11_rssi_info(struct mwifiex_private *priv,
  */
 static int mwifiex_ret_802_11_snmp_mib(struct mwifiex_private *priv,
 				       struct host_cmd_ds_command *resp,
-				       u32 *ul_temp)
+				       u32 *data_buf)
 {
 	struct host_cmd_ds_802_11_snmp_mib *smib = &resp->params.smib;
 	u16 oid = le16_to_cpu(smib->oid);
 	u16 query_type = le16_to_cpu(smib->query_type);
+	u32 ul_temp;
 
 	dev_dbg(priv->adapter->dev, "info: SNMP_RESP: oid value = %#x,"
 			" query_type = %#x, buf size = %#x\n",
 			oid, query_type, le16_to_cpu(smib->buf_size));
 	if (query_type == HostCmd_ACT_GEN_GET) {
-		if (ul_temp)
-			*ul_temp = le16_to_cpu(*((__le16 *) (smib->value)));
+		ul_temp = le16_to_cpu(*((__le16 *) (smib->value)));
+		if (data_buf)
+			*data_buf = ul_temp;
 		switch (oid) {
 		case FRAG_THRESH_I:
 			dev_dbg(priv->adapter->dev,
-				"info: SNMP_RESP: FragThsd =%u\n", *ul_temp);
+				"info: SNMP_RESP: FragThsd =%u\n", ul_temp);
 			break;
 		case RTS_THRESH_I:
 			dev_dbg(priv->adapter->dev,
-				"info: SNMP_RESP: RTSThsd =%u\n", *ul_temp);
+				"info: SNMP_RESP: RTSThsd =%u\n", ul_temp);
 			break;
 		case SHORT_RETRY_LIM_I:
 			dev_dbg(priv->adapter->dev,
-				"info: SNMP_RESP: TxRetryCount=%u\n", *ul_temp);
+				"info: SNMP_RESP: TxRetryCount=%u\n", ul_temp);
 			break;
 		default:
 			break;
@@ -622,22 +624,23 @@  static int mwifiex_ret_802_11d_domain_info(struct mwifiex_private *priv,
  */
 static int mwifiex_ret_802_11_rf_channel(struct mwifiex_private *priv,
 					 struct host_cmd_ds_command *resp,
-					 u16 *new_channel)
+					 u16 *data_buf)
 {
 	struct host_cmd_ds_802_11_rf_channel *rf_channel =
 		&resp->params.rf_channel;
+	u16 new_channel = le16_to_cpu(rf_channel->current_channel);
 
-	if (new_channel)
-		*new_channel = le16_to_cpu(rf_channel->current_channel);
-
-	if (priv->curr_bss_params.bss_descriptor.channel != *new_channel) {
+	if (priv->curr_bss_params.bss_descriptor.channel != new_channel) {
 		dev_dbg(priv->adapter->dev, "cmd: Channel Switch: %d to %d\n",
 		       priv->curr_bss_params.bss_descriptor.channel,
-		       *new_channel);
+		       new_channel);
 		/* Update the channel again */
-		priv->curr_bss_params.bss_descriptor.channel = *new_channel;
+		priv->curr_bss_params.bss_descriptor.channel = new_channel;
 	}
 
+	if (data_buf)
+		*data_buf = new_channel;
+
 	return 0;
 }