mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry

check nsgs value is less than urb->num_sgs in mt76u_process_rx_entry in order to avoid an out-of-bound access of urb->sg array Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>

mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry
check nsgs value is less than urb->num_sgs in mt76u_process_rx_entry in order to avoid an out-of-bound access of urb->sg array Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
200abe6a · Lorenzo Bianconi · Felix Fietkau · 04eb16fc · 200abe6a
Commit 200abe6a authored Feb 20, 2019 by Lorenzo Bianconi Committed by Felix Fietkau Feb 26, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/net/wireless/mediatek/mt76/usb.c drivers/net/wireless/mediatek/mt76/usb.c +1 -1

No files found.
--- a/drivers/net/wireless/mediatek/mt76/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/usb.c
@@ -468,7 +468,7 @@ mt76u_process_rx_entry(struct mt76_dev *dev, struct mt76u_buf *buf)
 	__skb_put(skb, data_len);
 	len -= data_len;

-	while (len > 0 && urb->num_sgs) {
+	while (len > 0 && nsgs < urb->num_sgs) {
 		data_len = min_t(int, len, urb->sg[nsgs].length);
 		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
 				sg_page(&urb->sg[nsgs]),