staging: rtl8723au: Another case of missing 'tid' bounds checking.
authorJes Sorensen <Jes.Sorensen@redhat.com>
Fri, 9 May 2014 13:04:17 +0000 (15:04 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 15 May 2014 20:12:02 +0000 (13:12 -0700)
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/rtl8723au/core/rtw_cmd.c
drivers/staging/rtl8723au/core/rtw_mlme_ext.c

index 6bb67f8d7f64e5317e552bb47fa774f2084b2797..3b9f8437c38a84c4c8705c5ed388f116834810e9 100644 (file)
@@ -823,6 +823,11 @@ u8 rtw_addbareq_cmd23a(struct rtw_adapter*padapter, u8 tid, u8 *addr)
        struct addBaReq_parm *paddbareq_parm;
        u8 res = _SUCCESS;
 
+       if (tid >= MAXTID) {
+               res = _FAIL;
+               goto exit;
+       }
+
        ph2c = kzalloc(sizeof(struct cmd_obj), GFP_ATOMIC);
        if (!ph2c) {
                res = _FAIL;
index 475b0de0fe2455f2ba229458fe29da141660d8fa..2bd74f0893a25de7077a24dd877066ccb0bee0ed 100644 (file)
@@ -6354,7 +6354,7 @@ u8 add_ba_hdl23a(struct rtw_adapter *padapter, const u8 *pbuf)
                mod_timer(&psta->addba_retry_timer,
                          jiffies + msecs_to_jiffies(ADDBA_TO));
        } else {
-               psta->htpriv.candidate_tid_bitmap &= ~CHKBIT(pparm->tid);
+               psta->htpriv.candidate_tid_bitmap &= ~BIT(pparm->tid);
        }
        return  H2C_SUCCESS;
 }