qcacld-3.0: Fix possible OOB read in proc_dnld_rsp

In proc_dnld_rsp, pHdr->sBufSize is coming from fw message
which could not be trusted. Before its use it should proc_dnld_rsp
should verify it against its max allowed size (UINT_MAX).

Fix is to add a sanity check for pHdr->sBufSize against UINT_MAX
before its use.

Change-Id: I6ec970483af860d5e42d6adac640274743f44f1a
CRs-Fixed: 2308333

core/mac/src/cfg/cfg_proc_msg.c

@@ -996,6 +996,13 @@ static void proc_dnld_rsp(tpAniSirGlobal pMac, uint16_t length, uint32_t *pParam
 		       pHdr->controlSize, pHdr->iBufSize, pHdr->sBufSize,
 		       pMac->cfg.gCfgMaxSBufSize);
 
+	if (pHdr->sBufSize > (UINT_MAX -
+		(((CFG_PARAM_MAX_NUM + 3 * pMac->cfg.gCfgMaxIBufSize) << 2) +
+		sizeof(tCfgBinHdr)))) {
+		pe_warn("Invalid sBufSize coming from fw: %d", pHdr->sBufSize);
+		retVal = WNI_CFG_INVALID_LEN;
+		goto end;
+	}
 	expLen =
 		((CFG_PARAM_MAX_NUM + 3 * pMac->cfg.gCfgMaxIBufSize) << 2) +
 		pHdr->sBufSize + sizeof(tCfgBinHdr);