qcacld-3.0: Add a sanity check to prevent integer overflow

Currently in the function hdd_send_roam_scan_channel_freq_list_to_sme,
the num_chan variable is declared as uint8_t and is incremented
for each nested attribute PARAM_SCAN_FREQ_LIST.

If the number of attributes sent by userspace is more than max value
of uint8_t, then an integer overflow occurs.

To avoid this issue, add a sanity check to see if num_chan has reached
SIR_MAX_SUPPORTED_CHANNEL_LIST before incrementing variable.

Change-Id: I601a73a118eb65ebb8575f6ed5ed1f29d915f59e
CRs-Fixed: 3568577

core/hdd/src/wlan_hdd_cfg80211.c

@@ -5478,12 +5478,13 @@ hdd_send_roam_scan_channel_freq_list_to_sme(struct hdd_context *hdd_ctx,
 		return QDF_STATUS_E_INVAL;
 	}
 
-	nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem)
+	nla_for_each_nested(curr_attr, tb2[PARAM_SCAN_FREQ_LIST], rem) {
+		if (num_chan >= SIR_MAX_SUPPORTED_CHANNEL_LIST) {
+			hdd_err("number of channels (%d) supported exceeded max (%d)",
+				num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST);
+			return QDF_STATUS_E_INVAL;
+		}
 		num_chan++;
-	if (num_chan > SIR_MAX_SUPPORTED_CHANNEL_LIST) {
-		hdd_err("number of channels (%d) supported exceeded max (%d)",
-			num_chan, SIR_MAX_SUPPORTED_CHANNEL_LIST);
-		return QDF_STATUS_E_INVAL;
 	}
 	num_chan = 0;