usb: gadget: rndis: prevent integer overflow in rndis_set_response()

commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream.

If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.

Change-Id: I2d68b3cc11832de13cf33f3eb56f1e8ecac4dda6
Cc: stable@kernel.org
Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220301080424.GA17208@kili


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 138d4f73
Git-repo: https://android.googlesource.com/kernel/common


Signed-off-by: PavanKumar S.R <quic_pavasr@quicinc.com>