qcacld-3.0: Possible OOB write in rrm_process_radio_measurement_request

In case if two measurement requests calls update_rrm_report() twice,
possible out-of-bounds write for the allocated report array, report[]
in rrm_process_radio_measurement_request

Change-Id: Icc8b7aa14bbcc1219d28025e599c9976a3525bba
CRs-Fixed: 2564485

core/mac/src/pe/rrm/rrm_api.c

@@ -1101,26 +1101,28 @@ QDF_STATUS rrm_process_beacon_req(struct mac_context *mac_ctx, tSirMacAddr peer,
  */
 static
 QDF_STATUS update_rrm_report(struct mac_context *mac_ctx,
-			     tpSirMacRadioMeasureReport report,
+			     tpSirMacRadioMeasureReport *report,
 			     tDot11fRadioMeasurementRequest *rrm_req,
 			     uint8_t *num_report, int index)
 {
-	if (!report) {
+	tpSirMacRadioMeasureReport rrm_report;
+
+	if (!*report) {
 		/*
 		 * Allocate memory to send reports for
 		 * any subsequent requests.
 		 */
-		report = qdf_mem_malloc(sizeof(*report) *
+		*report = qdf_mem_malloc(sizeof(tSirMacRadioMeasureReport) *
 			 (rrm_req->num_MeasurementRequest - index));
-		if (!report)
+		if (!*report)
 			return QDF_STATUS_E_NOMEM;
-		pe_debug("rrm beacon type incapable of %d report",
-			*num_report);
+		pe_debug("rrm beacon type incapable of %d report", *num_report);
 	}
-	report[*num_report].incapable = 1;
-	report[*num_report].type =
+	rrm_report = *report;
+	rrm_report[*num_report].incapable = 1;
+	rrm_report[*num_report].type =
 		rrm_req->MeasurementRequest[index].measurement_type;
-	report[*num_report].token =
+	rrm_report[*num_report].token =
 		 rrm_req->MeasurementRequest[index].measurement_token;
 	(*num_report)++;
 	return QDF_STATUS_SUCCESS;
@@ -1198,7 +1200,7 @@ rrm_process_radio_measurement_request(struct mac_context *mac_ctx,
 			break;
 		default:
 			/* Send a report with incapabale bit set. */
-			status = update_rrm_report(mac_ctx, report, rrm_req,
+			status = update_rrm_report(mac_ctx, &report, rrm_req,
 						   &num_report, i);
 			if (QDF_STATUS_SUCCESS != status)
 				return status;