From: Lorenzo Bianconi <lorenzo@kernel.org>
Date: Wed, 20 Feb 2019 09:20:37 +0000 (+0100)
Subject: mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=200abe6a963a8720397f7156403ff14d09457704;p=openwrt%2Fstaging%2Fblogic.git

mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry

check nsgs value is less than urb->num_sgs in mt76u_process_rx_entry
in order to avoid an out-of-bound access of urb->sg array

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
index 096bc99378f5..ac3da948d43a 100644
--- a/drivers/net/wireless/mediatek/mt76/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/usb.c
@@ -468,7 +468,7 @@ mt76u_process_rx_entry(struct mt76_dev *dev, struct mt76u_buf *buf)
 	__skb_put(skb, data_len);
 	len -= data_len;
 
-	while (len > 0 && urb->num_sgs) {
+	while (len > 0 && nsgs < urb->num_sgs) {
 		data_len = min_t(int, len, urb->sg[nsgs].length);
 		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
 				sg_page(&urb->sg[nsgs]),