qcacld-3.0: Fix potential buffer overflow in htt_t2h_lp_msg_handler

qcacld-2.0 to qcacld-3.0 propagation

Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.

Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119

core/dp/htt/htt_t2h.c

@@ -362,6 +362,14 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
 			(uint8_t *) (msg_word + 1),
 			&mac_addr_deswizzle_buf[0]);
 
+		if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+			qdf_print("%s: HTT_T2H_MSG_TYPE_PEER_MAP,"
+				"invalid peer_id, %u\n",
+				__FUNCTION__,
+				peer_id);
+			break;
+		}
+
 		ol_rx_peer_map_handler(pdev->txrx_pdev, peer_id,
 				       vdev_id, peer_mac_addr,
 				       1 /*can tx */);
@@ -372,6 +380,14 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
 		uint16_t peer_id;
 
 		peer_id = HTT_RX_PEER_UNMAP_PEER_ID_GET(*msg_word);
+		if (peer_id > ol_cfg_max_peer_id(pdev->ctrl_pdev)) {
+			qdf_print("%s: HTT_T2H_MSG_TYPE_PEER_UNMAP,"
+				"invalid peer_id, %u\n",
+				__FUNCTION__,
+				peer_id);
+			break;
+		}
+
 		ol_rx_peer_unmap_handler(pdev->txrx_pdev, peer_id);
 		break;
 	}