qcacld-3.0: Fix num_rates check in lim_populate_matching_rate_set

In function lim_populate_matching_rate_set, sum of num_rates is being
checked against max array size but it does not take into account 8-bit
arithmetic overflow in calculating sum. Because of this even though
actual sum is greater than max array size, it might wrap around and be
less than max array size thus failing the condition. Perform 16-bit
arithmetic sum instead to avoid overflow.

Change-Id: Ia078e37891835540c974347ec6b5c9794300e264
CRs-Fixed: 1091486

core/mac/src/pe/lim/lim_assoc_utils.c

@@ -1893,7 +1893,13 @@ tSirRetStatus lim_populate_matching_rate_set(tpAniSirGlobal mac_ctx,
 		temp_rate_set2.numRates = 0;
 	}
 
-	if ((temp_rate_set.numRates + temp_rate_set2.numRates) > 12) {
+	/*
+	 * absolute sum of both num_rates should be less than 12. following
+	 * 16-bit sum avoids false codition where 8-bit arthematic overflow
+	 * might have caused total sum to be less than 12
+	 */
+	if (((uint16_t)temp_rate_set.numRates +
+		(uint16_t)temp_rate_set2.numRates) > 12) {
 		lim_log(mac_ctx, LOGE, FL("more than 12 rates in CFG"));
 		return eSIR_FAILURE;
 	}