From 6eb6aeef7e670bddc9cd52aaf32765a9ea85eee3 Mon Sep 17 00:00:00 2001
From: Hans Petter Selasky <hselasky@FreeBSD.org>
Date: Sat, 30 Apr 2022 11:21:54 +0200
Subject: [PATCH] uath(4): Fix incorrect byte-swapping and a buffer length
 check.

PR:			263638
Reported by:		Jeff Gibbons <jgibbons@protogate.com>
MFC after:		1 week
Sponsored by:		NVIDIA Networking
---
 sys/dev/usb/wlan/if_uath.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/dev/usb/wlan/if_uath.c b/sys/dev/usb/wlan/if_uath.c
index df7e1d7c396..4ffdc9a72fa 100644
--- a/sys/dev/usb/wlan/if_uath.c
+++ b/sys/dev/usb/wlan/if_uath.c
@@ -2244,7 +2244,7 @@ uath_cmdeof(struct uath_softc *sc, struct uath_cmd *cmd)
 			u_int olen;
 
 			if (sizeof(*hdr) > hdr->len ||
-			    hdr->len >= UATH_MAX_CMDSZ) {
+			    hdr->len > UATH_MAX_CMDSZ) {
 				device_printf(sc->sc_dev,
 				    "%s: invalid WDC msg length %u; "
 				    "msg ignored\n", __func__, hdr->len);
@@ -2360,11 +2360,10 @@ uath_intr_rx_callback(struct usb_xfer *xfer, usb_error_t error)
 		usbd_copy_out(pc, 0, cmd->buf, actlen);
 
 		hdr = (struct uath_cmd_hdr *)cmd->buf;
-		hdr->len = be32toh(hdr->len);
-		if (hdr->len > (uint32_t)actlen) {
+		if (be32toh(hdr->len) > (uint32_t)actlen) {
 			device_printf(sc->sc_dev,
 			    "%s: truncated xfer (len %u, actlen %d)\n",
-			    __func__, hdr->len, actlen);
+			    __func__, be32toh(hdr->len), actlen);
 			goto setup;
 		}