mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry

check nsgs value is less than urb->num_sgs in mt76u_process_rx_entry
in order to avoid an out-of-bound access of urb->sg array

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
index 096bc99..ac3da94 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/usb.c
@@ -468,7 +468,7 @@ mt76u_process_rx_entry(struct mt76_dev *dev, struct mt76u_buf *buf)
        __skb_put(skb, data_len);
        len -= data_len;
 
-       while (len > 0 && urb->num_sgs) {
+       while (len > 0 && nsgs < urb->num_sgs) {
                data_len = min_t(int, len, urb->sg[nsgs].length);
                skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
                                sg_page(&urb->sg[nsgs]),