staging: rtl8723au: Another case of missing 'tid' bounds checking.

Signed-off-by: N Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: rtl8723au: Another case of missing 'tid' bounds checking.
Signed-off-by: N Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
d7f2c23a · Jes Sorensen · Greg Kroah-Hartman · 4e489d91 · d7f2c23a · d7f2c23a
隐藏空白更改
内联并排

Showing with 6 addition and 1 deletion

drivers/staging/rtl8723au/core/rtw_cmd.c drivers/staging/rtl8723au/core/rtw_cmd.c +5 -0

drivers/staging/rtl8723au/core/rtw_mlme_ext.c drivers/staging/rtl8723au/core/rtw_mlme_ext.c +1 -1

未找到文件。
--- a/drivers/staging/rtl8723au/core/rtw_cmd.c
+++ b/drivers/staging/rtl8723au/core/rtw_cmd.c
@@ -823,6 +823,11 @@ u8 rtw_addbareq_cmd23a(struct rtw_adapter*padapter, u8 tid, u8 *addr)
 	struct addBaReq_parm *paddbareq_parm;
 	u8 res = _SUCCESS;

+	if (tid >= MAXTID) {
+		res = _FAIL;
+		goto exit;
+	}
+
 	ph2c = kzalloc(sizeof(struct cmd_obj), GFP_ATOMIC);
 	if (!ph2c) {
 		res = _FAIL;

--- a/drivers/staging/rtl8723au/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723au/core/rtw_mlme_ext.c
@@ -6354,7 +6354,7 @@ u8 add_ba_hdl23a(struct rtw_adapter *padapter, const u8 *pbuf)
 		mod_timer(&psta->addba_retry_timer,
 			  jiffies + msecs_to_jiffies(ADDBA_TO));
 	} else {
-		psta->htpriv.candidate_tid_bitmap &= ~CHKBIT(pparm->tid);
+		psta->htpriv.candidate_tid_bitmap &= ~BIT(pparm->tid);
 	}
 	return	H2C_SUCCESS;
 }