iwn 2

To: tech-kern%netbsd.org@localhost
Subject: iwn 2
From: Patrick Welche <prlw1%cam.ac.uk@localhost>
Date: Wed, 17 Aug 2011 17:30:28 +0100

I'm just reading if_iwn.c, and I don't see how iwn_iter_func can be legal:

static void     
iwn_iter_func(void *arg, struct ieee80211_node *ni)
{
        struct iwn_softc *sc = arg;
        struct iwn_node *wn = (struct iwn_node *)ni;

        ieee80211_amrr_choose(&sc->amrr, ni, &wn->amn);
}

iwn_node is bigger than ieee80211_node, as it starts with an ieee80211_node:

struct iwn_node {       
        struct  ieee80211_node          ni;     /* must be the first */
        struct  ieee80211_amrr_node     amn;
        uint16_t                        disable_tid;
        uint8_t                         id;
        uint8_t                         ridx[IEEE80211_RATE_MAXSIZE];
};

Then, the call to ieee80211_amrr_choose uses amn, which is after the
struct the iwn_node was initalised with. ieee80211_amrr_choose then starts
by dereferencing bits of the amn. Isn't that pointing at garbage?

I haven't used iwn as an "infrastructure station", so have never run into
trouble, but is the C analysis right?

Cheers,

Patrick

Follow-Ups:
- Re: iwn 2
  - From: Christos Zoulas
- Re: iwn 2
  - From: Ken Hornstein

Prev by Date: Re: zero-filed page on VOP_PUTPAGES
Next by Date: Re: Musings on MSI
Previous by Thread: RFC: SEEK_DATA/SEEK_HOLE implementation version 2
Next by Thread: Re: iwn 2
Indexes:

Home | Main Index | Thread Index | Old Index