qcacld-3.0: Fix potential buffer overwrite in wma_unified_link_iface_stats_event_handler

In function wma_unified_link_iface_stats_event_handler, num_ac is received
from the firmware and is used in the loop to populate values into results.
However the memory for results is allocated only for WIFI_AC_MAX and a
buffer overflow will occur of num_ac is greater than WIFI_AC_MAX.

Add checks to make sure num_ac is not greater than WIFI_AC_MAX and
num_offload_stats is not greater than WMI_OFFLOAD_STATS_TYPE_MAX.

Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4
CRs-Fixed: 2114756

core/wma/src/wma_utils.c

@@ -2103,6 +2103,17 @@ int wma_unified_link_iface_stats_event_handler(void *handle,
 		return -EINVAL;
 	}
 
+	if (link_stats->num_ac > WIFI_AC_MAX) {
+		WMA_LOGE("%s: Excess data received from firmware num_ac %d",
+			 __func__, link_stats->num_ac);
+		return -EINVAL;
+	}
+	if (fixed_param->num_offload_stats > WMI_OFFLOAD_STATS_TYPE_MAX) {
+		WMA_LOGE("%s: Excess num offload stats recvd from fw: %d",
+			__func__, fixed_param->num_offload_stats);
+		return -EINVAL;
+	}
+
 	link_stats_size = sizeof(tSirWifiIfaceStat);
 	iface_info_size = sizeof(tSirWifiInterfaceInfo);