MFC r350630, r350657: static analysis fixes from Haiku

r350630:
oce(4): potential out of bounds access before vector validation

r350657:
ral: rt2860: fix wcid2ni access/size issue

RT2860_WCID_MAX is supposed to describe the max STA index for wcid2ni, and
was instead being used as the size -- off-by-one.

rt2860_drain_stats_fifo was range-checking wcid only after accessing
out-of-bounds potentially.

Author: kevans91

sys/dev/oce/oce_if.c

@@ -836,12 +836,14 @@ oce_fast_isr(void *arg)
 static int
 oce_alloc_intr(POCE_SOFTC sc, int vector, void (*isr) (void *arg, int pending))
 {
-	POCE_INTR_INFO ii = &sc->intrs[vector];
+	POCE_INTR_INFO ii;
 	int rc = 0, rr;
 
 	if (vector >= OCE_MAX_EQ)
 		return (EINVAL);
 
+	ii = &sc->intrs[vector];
+
 	/* Set the resource id for the interrupt.
 	 * MSIx is vector + 1 for the resource id,
 	 * INTx is 0 for the resource id.

sys/dev/ral/rt2860.c

@@ -1092,10 +1092,12 @@ rt2860_drain_stats_fifo(struct rt2860_softc *sc)
 		DPRINTFN(4, ("tx stat 0x%08x\n", stat));
 
 		wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
+		if (wcid > RT2860_WCID_MAX)
+			continue;
 		ni = sc->wcid2ni[wcid];
 
 		/* if no ACK was requested, no feedback is available */
-		if (!(stat & RT2860_TXQ_ACKREQ) || wcid == 0xff || ni == NULL)
+		if (!(stat & RT2860_TXQ_ACKREQ) || ni == NULL)
 			continue;
 
 		/* update per-STA AMRR stats */

sys/dev/ral/rt2860var.h

@@ -142,7 +142,7 @@ struct rt2860_softc {
 #define RT2860_PCIE		(1 << 2)
 #define	RT2860_RUNNING		(1 << 3)
 
-	struct ieee80211_node		*wcid2ni[RT2860_WCID_MAX];
+	struct ieee80211_node		*wcid2ni[RT2860_WCID_MAX + 1];
 
 	struct rt2860_tx_ring		txq[6];
 	struct rt2860_rx_ring		rxq;