staging: rtl8723au: Another case of missing 'tid' bounds checking.

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/staging/rtl8723au/core/rtw_cmd.c

@@ -823,6 +823,11 @@ u8 rtw_addbareq_cmd23a(struct rtw_adapter*padapter, u8 tid, u8 *addr)
 	struct addBaReq_parm *paddbareq_parm;
 	u8 res = _SUCCESS;
 
+	if (tid >= MAXTID) {
+		res = _FAIL;
+		goto exit;
+	}
+
 	ph2c = kzalloc(sizeof(struct cmd_obj), GFP_ATOMIC);
 	if (!ph2c) {
 		res = _FAIL;

drivers/staging/rtl8723au/core/rtw_mlme_ext.c

@@ -6354,7 +6354,7 @@ u8 add_ba_hdl23a(struct rtw_adapter *padapter, const u8 *pbuf)
 		mod_timer(&psta->addba_retry_timer,
 			  jiffies + msecs_to_jiffies(ADDBA_TO));
 	} else {
-		psta->htpriv.candidate_tid_bitmap &= ~CHKBIT(pparm->tid);
+		psta->htpriv.candidate_tid_bitmap &= ~BIT(pparm->tid);
 	}
 	return	H2C_SUCCESS;
 }