diff mbox series

mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry

Message ID 9111504273864ca3838481c57ad0f22dea74e303.1550654091.git.lorenzo@kernel.org (mailing list archive)
State Accepted
Delegated to: Kalle Valo
Headers show
Series mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry | expand

Commit Message

Lorenzo Bianconi Feb. 20, 2019, 9:20 a.m. UTC 
From: Lorenzo Bianconi <lorenzo@kernel.org>

check nsgs value is less than urb->num_sgs in mt76u_process_rx_entry
in order to avoid an out-of-bound access of urb->sg array

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/usb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Felix Fietkau Feb. 26, 2019, 11:33 a.m. UTC | #1 
On 2019-02-20 10:20, lorenzo@kernel.org wrote:
> From: Lorenzo Bianconi <lorenzo@kernel.org>
> 
> check nsgs value is less than urb->num_sgs in mt76u_process_rx_entry
> in order to avoid an out-of-bound access of urb->sg array
> 
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Applied, thanks.

- Felix
diff mbox series

Patch

diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
index 78191968b4fa..5d7b57827d1e 100644
--- a/drivers/net/wireless/mediatek/mt76/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/usb.c
@@ -464,7 +464,7 @@  mt76u_process_rx_entry(struct mt76_dev *dev, struct mt76u_buf *buf)
 	__skb_put(skb, data_len);
 	len -= data_len;
 
-	while (len > 0 && urb->num_sgs) {
+	while (len > 0 && nsgs < urb->num_sgs) {
 		data_len = min_t(int, len, urb->sg[nsgs].length);
 		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
 				sg_page(&urb->sg[nsgs]),