usb: gadget: rndis: prevent integer overflow in rndis_set_response()

mainline inclusion
from mainline-v5.17
commit 65f3324f
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5KBY1


CVE: NA

--------------------------------

If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.

Cc: stable@kernel.org
Fixes: 38ea1eac ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220301080424.GA17208@kili


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
Reviewed-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>