staging: rtl8712: uninitialized memory in read_bbreg_hdl() [Linux 3.16.72]

This Linux kernel change "staging: rtl8712: uninitialized memory in read_bbreg_hdl()" is included in the Linux 3.16.72 release. This change is authored by Dan Carpenter <dan.carpenter [at]> on Thu Mar 21 09:26:38 2019 +0300. The commit for this change in Linux stable tree is 1d6f09c (patch) which is from upstream commit 22c971d. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 22c971d.

staging: rtl8712: uninitialized memory in read_bbreg_hdl()

commit 22c971db7dd4b0ad8dd88e99c407f7a1f4231a2e upstream.

Colin King reported a bug in read_bbreg_hdl():

    memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);

The problem is that "val" is uninitialized.

This code is obviously not useful, but so far as I can tell
"pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful
either.  For now the easiest fix is to just call r8712_free_cmd_obj()
and return.

Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
Reported-by: Colin Ian King <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>

There are 12 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/staging/rtl8712/rtl8712_cmd.c | 10 +---------
 drivers/staging/rtl8712/rtl8712_cmd.h |  2 +-
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c
index 8ca7d7e..2a02259 100644
--- a/drivers/staging/rtl8712/rtl8712_cmd.c
+++ b/drivers/staging/rtl8712/rtl8712_cmd.c
@@ -155,19 +155,11 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)

 static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
-   u32 val;
-   void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj  *pcmd);
    struct readBB_parm *prdbbparm;
    struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;

    prdbbparm = (struct readBB_parm *)pcmd->parmbuf;
-   if (pcmd->rsp && pcmd->rspsz > 0)
-       memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
-   pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
-   if (pcmd_callback == NULL)
-       r8712_free_cmd_obj(pcmd);
-   else
-       pcmd_callback(padapter, pcmd);
+   r8712_free_cmd_obj(pcmd);
    return H2C_SUCCESS;

diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h
index 039ab3e..efa2fc9 100644
--- a/drivers/staging/rtl8712/rtl8712_cmd.h
+++ b/drivers/staging/rtl8712/rtl8712_cmd.h
@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd {
 static struct _cmd_callback    cmd_callback[] = {
    {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/
-   {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback},
    {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback},
    {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/

Leave a Reply

Your email address will not be published. Required fields are marked *