diff options
| author | Dan Carpenter <error27@gmail.com> | 2011-06-24 09:33:35 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2011-06-27 15:09:42 -0400 |
| commit | a5e5aa6cee4cdb967a1f1c33a31165062783ccea (patch) | |
| tree | c3e36575ff7495c5a70a567d7d4272acafc466ec /drivers | |
| parent | f6b4e4d476b890e1ddebbed8ec4924f9c2750a31 (diff) | |
mwifiex: restore handling of NULL parameters
Prior to a5ffddb70c5cab "mwifiex: remove casts of void pointers" the
code assumed that the data_buf parameter could be a NULL pointer.
The patch preserved some NULL checks but not consistently, so there
was a potential for NULL dereferences and it changed the behavior.
This patch restores the original behavior.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/wireless/mwifiex/sta_cmd.c | 2 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/sta_cmdresp.c | 29 |
2 files changed, 18 insertions, 13 deletions
diff --git a/drivers/net/wireless/mwifiex/sta_cmd.c b/drivers/net/wireless/mwifiex/sta_cmd.c index d85a0a60aa6a..49b9c1309f7a 100644 --- a/drivers/net/wireless/mwifiex/sta_cmd.c +++ b/drivers/net/wireless/mwifiex/sta_cmd.c | |||
| @@ -779,6 +779,8 @@ static int mwifiex_cmd_ibss_coalescing_status(struct host_cmd_ds_command *cmd, | |||
| 779 | case HostCmd_ACT_GEN_SET: | 779 | case HostCmd_ACT_GEN_SET: |
| 780 | if (enable) | 780 | if (enable) |
| 781 | ibss_coal->enable = cpu_to_le16(*enable); | 781 | ibss_coal->enable = cpu_to_le16(*enable); |
| 782 | else | ||
| 783 | ibss_coal->enable = 0; | ||
| 782 | break; | 784 | break; |
| 783 | 785 | ||
| 784 | /* In other case.. Nothing to do */ | 786 | /* In other case.. Nothing to do */ |
diff --git a/drivers/net/wireless/mwifiex/sta_cmdresp.c b/drivers/net/wireless/mwifiex/sta_cmdresp.c index ad64c87b91d6..6804239d87bd 100644 --- a/drivers/net/wireless/mwifiex/sta_cmdresp.c +++ b/drivers/net/wireless/mwifiex/sta_cmdresp.c | |||
| @@ -183,30 +183,32 @@ static int mwifiex_ret_802_11_rssi_info(struct mwifiex_private *priv, | |||
| 183 | */ | 183 | */ |
| 184 | static int mwifiex_ret_802_11_snmp_mib(struct mwifiex_private *priv, | 184 | static int mwifiex_ret_802_11_snmp_mib(struct mwifiex_private *priv, |
| 185 | struct host_cmd_ds_command *resp, | 185 | struct host_cmd_ds_command *resp, |
| 186 | u32 *ul_temp) | 186 | u32 *data_buf) |
| 187 | { | 187 | { |
| 188 | struct host_cmd_ds_802_11_snmp_mib *smib = &resp->params.smib; | 188 | struct host_cmd_ds_802_11_snmp_mib *smib = &resp->params.smib; |
| 189 | u16 oid = le16_to_cpu(smib->oid); | 189 | u16 oid = le16_to_cpu(smib->oid); |
| 190 | u16 query_type = le16_to_cpu(smib->query_type); | 190 | u16 query_type = le16_to_cpu(smib->query_type); |
| 191 | u32 ul_temp; | ||
| 191 | 192 | ||
| 192 | dev_dbg(priv->adapter->dev, "info: SNMP_RESP: oid value = %#x," | 193 | dev_dbg(priv->adapter->dev, "info: SNMP_RESP: oid value = %#x," |
| 193 | " query_type = %#x, buf size = %#x\n", | 194 | " query_type = %#x, buf size = %#x\n", |
| 194 | oid, query_type, le16_to_cpu(smib->buf_size)); | 195 | oid, query_type, le16_to_cpu(smib->buf_size)); |
| 195 | if (query_type == HostCmd_ACT_GEN_GET) { | 196 | if (query_type == HostCmd_ACT_GEN_GET) { |
| 196 | if (ul_temp) | 197 | ul_temp = le16_to_cpu(*((__le16 *) (smib->value))); |
| 197 | *ul_temp = le16_to_cpu(*((__le16 *) (smib->value))); | 198 | if (data_buf) |
| 199 | *data_buf = ul_temp; | ||
| 198 | switch (oid) { | 200 | switch (oid) { |
| 199 | case FRAG_THRESH_I: | 201 | case FRAG_THRESH_I: |
| 200 | dev_dbg(priv->adapter->dev, | 202 | dev_dbg(priv->adapter->dev, |
| 201 | "info: SNMP_RESP: FragThsd =%u\n", *ul_temp); | 203 | "info: SNMP_RESP: FragThsd =%u\n", ul_temp); |
| 202 | break; | 204 | break; |
| 203 | case RTS_THRESH_I: | 205 | case RTS_THRESH_I: |
| 204 | dev_dbg(priv->adapter->dev, | 206 | dev_dbg(priv->adapter->dev, |
| 205 | "info: SNMP_RESP: RTSThsd =%u\n", *ul_temp); | 207 | "info: SNMP_RESP: RTSThsd =%u\n", ul_temp); |
| 206 | break; | 208 | break; |
| 207 | case SHORT_RETRY_LIM_I: | 209 | case SHORT_RETRY_LIM_I: |
| 208 | dev_dbg(priv->adapter->dev, | 210 | dev_dbg(priv->adapter->dev, |
| 209 | "info: SNMP_RESP: TxRetryCount=%u\n", *ul_temp); | 211 | "info: SNMP_RESP: TxRetryCount=%u\n", ul_temp); |
| 210 | break; | 212 | break; |
| 211 | default: | 213 | default: |
| 212 | break; | 214 | break; |
| @@ -622,22 +624,23 @@ static int mwifiex_ret_802_11d_domain_info(struct mwifiex_private *priv, | |||
| 622 | */ | 624 | */ |
| 623 | static int mwifiex_ret_802_11_rf_channel(struct mwifiex_private *priv, | 625 | static int mwifiex_ret_802_11_rf_channel(struct mwifiex_private *priv, |
| 624 | struct host_cmd_ds_command *resp, | 626 | struct host_cmd_ds_command *resp, |
| 625 | u16 *new_channel) | 627 | u16 *data_buf) |
| 626 | { | 628 | { |
| 627 | struct host_cmd_ds_802_11_rf_channel *rf_channel = | 629 | struct host_cmd_ds_802_11_rf_channel *rf_channel = |
| 628 | &resp->params.rf_channel; | 630 | &resp->params.rf_channel; |
| 631 | u16 new_channel = le16_to_cpu(rf_channel->current_channel); | ||
| 629 | 632 | ||
| 630 | if (new_channel) | 633 | if (priv->curr_bss_params.bss_descriptor.channel != new_channel) { |
| 631 | *new_channel = le16_to_cpu(rf_channel->current_channel); | ||
| 632 | |||
| 633 | if (priv->curr_bss_params.bss_descriptor.channel != *new_channel) { | ||
| 634 | dev_dbg(priv->adapter->dev, "cmd: Channel Switch: %d to %d\n", | 634 | dev_dbg(priv->adapter->dev, "cmd: Channel Switch: %d to %d\n", |
| 635 | priv->curr_bss_params.bss_descriptor.channel, | 635 | priv->curr_bss_params.bss_descriptor.channel, |
| 636 | *new_channel); | 636 | new_channel); |
| 637 | /* Update the channel again */ | 637 | /* Update the channel again */ |
| 638 | priv->curr_bss_params.bss_descriptor.channel = *new_channel; | 638 | priv->curr_bss_params.bss_descriptor.channel = new_channel; |
| 639 | } | 639 | } |
| 640 | 640 | ||
| 641 | if (data_buf) | ||
| 642 | *data_buf = new_channel; | ||
| 643 | |||
| 641 | return 0; | 644 | return 0; |
| 642 | } | 645 | } |
| 643 | 646 | ||