From d7f2c23adf3b299680046041d87cbf900505e380 Mon Sep 17 00:00:00 2001 From: Jes Sorensen Date: Fri, 9 May 2014 15:04:17 +0200 Subject: [PATCH] staging: rtl8723au: Another case of missing 'tid' bounds checking. Signed-off-by: Jes Sorensen Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8723au/core/rtw_cmd.c | 5 +++++ drivers/staging/rtl8723au/core/rtw_mlme_ext.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723au/core/rtw_cmd.c b/drivers/staging/rtl8723au/core/rtw_cmd.c index 6bb67f8d7f64..3b9f8437c38a 100644 --- a/drivers/staging/rtl8723au/core/rtw_cmd.c +++ b/drivers/staging/rtl8723au/core/rtw_cmd.c @@ -823,6 +823,11 @@ u8 rtw_addbareq_cmd23a(struct rtw_adapter*padapter, u8 tid, u8 *addr) struct addBaReq_parm *paddbareq_parm; u8 res = _SUCCESS; + if (tid >= MAXTID) { + res = _FAIL; + goto exit; + } + ph2c = kzalloc(sizeof(struct cmd_obj), GFP_ATOMIC); if (!ph2c) { res = _FAIL; diff --git a/drivers/staging/rtl8723au/core/rtw_mlme_ext.c b/drivers/staging/rtl8723au/core/rtw_mlme_ext.c index 475b0de0fe24..2bd74f0893a2 100644 --- a/drivers/staging/rtl8723au/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723au/core/rtw_mlme_ext.c @@ -6354,7 +6354,7 @@ u8 add_ba_hdl23a(struct rtw_adapter *padapter, const u8 *pbuf) mod_timer(&psta->addba_retry_timer, jiffies + msecs_to_jiffies(ADDBA_TO)); } else { - psta->htpriv.candidate_tid_bitmap &= ~CHKBIT(pparm->tid); + psta->htpriv.candidate_tid_bitmap &= ~BIT(pparm->tid); } return H2C_SUCCESS; } -- 2.20.1