Smatch is distrustful of the "capab" value and marks it as user controlled. I think it actually comes from the firmware? Anyway, I looked at other drivers and they added a bounds check and it seems like a harmless thing to have so I have added it here as well. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> diff --git a/drivers/staging/rtlwifi/base.c b/drivers/staging/rtlwifi/base.c index f7f207cbaee3..a30b928d5ee1 100644 --- a/drivers/staging/rtlwifi/base.c +++ b/drivers/staging/rtlwifi/base.c @@ -1414,6 +1414,10 @@ bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) le16_to_cpu(mgmt->u.action.u.addba_req.capab); tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2; + if (tid >= MAX_TID_COUNT) { + rcu_read_unlock(); + return true; + } tid_data = &sta_entry->tids[tid]; if (tid_data->agg.rx_agg_state == RTL_RX_AGG_START)