tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

iwn 2

I'm just reading if_iwn.c, and I don't see how iwn_iter_func can be legal:

static void     
iwn_iter_func(void *arg, struct ieee80211_node *ni)
        struct iwn_softc *sc = arg;
        struct iwn_node *wn = (struct iwn_node *)ni;

        ieee80211_amrr_choose(&sc->amrr, ni, &wn->amn);

iwn_node is bigger than ieee80211_node, as it starts with an ieee80211_node:

struct iwn_node {       
        struct  ieee80211_node          ni;     /* must be the first */
        struct  ieee80211_amrr_node     amn;
        uint16_t                        disable_tid;
        uint8_t                         id;
        uint8_t                         ridx[IEEE80211_RATE_MAXSIZE];

Then, the call to ieee80211_amrr_choose uses amn, which is after the
struct the iwn_node was initalised with. ieee80211_amrr_choose then starts
by dereferencing bits of the amn. Isn't that pointing at garbage?

I haven't used iwn as an "infrastructure station", so have never run into
trouble, but is the C analysis right?



Home | Main Index | Thread Index | Old Index