The value of pxmitframe->attrib.priority in r8712_issue_addbareq_cmd(), which dump_xframe() calls, is used to calculate the index for accessing an array of size 16. The value of pxmitframe->attrib.priority can be greater than 15, because the r8712_update_attrib() function can write a value up to 31 to attrib.priority, and r8712_xmitframe_complete() checks that pxmitframe->attrib.priority is less than 16 before calling r8712_xmitframe_coalesce(). Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Igor Artemiev <Igor.A.Artemiev@xxxxxxx> --- drivers/staging/rtl8712/rtl8712_xmit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8712/rtl8712_xmit.c b/drivers/staging/rtl8712/rtl8712_xmit.c index 4cb01f590673..8a39a3c8cfcb 100644 --- a/drivers/staging/rtl8712/rtl8712_xmit.c +++ b/drivers/staging/rtl8712/rtl8712_xmit.c @@ -669,7 +669,7 @@ int r8712_xmitframe_complete(struct _adapter *padapter, */ r8712_xmit_complete(padapter, pxmitframe); } - if (res == _SUCCESS) + if (res == _SUCCESS && pxmitframe->attrib.priority <= 15) dump_xframe(padapter, pxmitframe); else r8712_free_xmitframe_ex(pxmitpriv, pxmitframe); -- 2.30.2
