qcacmn: Replace MAX_CHANNELS with NUM_CHANNELS in wifipos module

In wifipos component, channel info array is allocated for MAX_CHANNELS(255)
and passed to the regulatory module which uses NUM_CHANNELS to fill the
channels. NUM_CHANNELS can be more than 255. This may lead to an array out
of boundary access.

Use NUM_CHANNELS in wifipos component to allocate channel info array.
also, add a boundary check on the number of channels received from the
regulatory component.

Change-Id: I5b7a7a4767d8bbb259c5631cf744e57ee3e1effb
CRs-Fixed: 2938879

umac/wifi_pos/inc/wifi_pos_utils_pub.h

@@ -32,7 +32,6 @@
 #define OEM_TARGET_SIGNATURE_LEN   8
 #define OEM_TARGET_SIGNATURE       "QUALCOMM"
 
-#define MAX_CHANNELS               255
 #define OEM_CAP_MAX_NUM_CHANNELS   128
 
 #define WIFI_POS_RSP_V1_FLAT_MEMORY  0x00000001
@@ -98,7 +97,7 @@ struct wifi_pos_channel_power {
  */
 struct qdf_packed wifi_pos_channel_list {
 	uint16_t num_channels;
-	struct wifi_pos_channel_power chan_info[MAX_CHANNELS];
+	struct wifi_pos_channel_power chan_info[NUM_CHANNELS];
 };
 
 /**

umac/wifi_pos/src/wifi_pos_main.c

@@ -498,7 +498,7 @@ static void wifi_pos_pdev_iterator(struct wlan_objmgr_psoc *psoc,
 	wifi_pos_ch = &chan_list->chan_info[chan_list->num_channels];
 
 	ch_info = (struct channel_power *)qdf_mem_malloc(
-			sizeof(*ch_info) * MAX_CHANNELS);
+			sizeof(*ch_info) * NUM_CHANNELS);
 	if (!ch_info) {
 		wifi_pos_err("ch_info is null");
 		return;
@@ -513,6 +513,12 @@ static void wifi_pos_pdev_iterator(struct wlan_objmgr_psoc *psoc,
 		return;
 	}
 
+	if ((chan_list->num_channels + num_channels) > NUM_CHANNELS) {
+		wifi_pos_err("Invalid number of channels");
+		qdf_mem_free(ch_info);
+		return;
+	}
+
 	for (i = 0; i < num_channels; i++) {
 		wifi_pos_ch[i].ch_power.center_freq = ch_info[i].center_freq;
 		wifi_pos_ch[i].ch_power.chan_num = ch_info[i].chan_num;