FROMGIT: wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

Since resplen and respoffs are signed integers sufficiently
large values of unsigned int len and offset members of RNDIS
response will result in negative values of prior variables.
This may be utilized to bypass implemented security checks
to either extract memory contents by manipulating offset or
overflow the data buffer via memcpy by manipulating both
offset and len.

Additionally assure that sum of resplen and respoffs does not
overflow so buffer boundaries are kept.

Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond")
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com
(cherry picked from commit b870e73a56c4cccbec33224233eaf295839f228c
 https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git master)

BUG=b:262448137
TEST=Revert the temporarily disabling CL crrev/c/4119063;
     Build and boot on herobrine on v5.15.
TEST=Use CQ dry-run to verify this CL doesn't break image building on
     other kernels.

Change-Id: I3c41e47a8d5e2dc4e9e0a5ac774dd2d675ff1f86
Signed-off-by: Jun Yu <junyuu@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4176235
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Ross Zwisler <zwisler@google.com>
Reviewed-by: Sean Paul <sean@poorly.run>
(cherry picked from commit e835dcf9db58b75b436d614a65dd9f31cbb14ef8)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4211012
Reviewed-by: Martin Faltesek <mfaltesek@google.com>
1 file changed