qcacmn: Avoid buffer overread when retrieving cnss diag cmd

In cnss_diag_cmd_handler(), add length check for the command attribute.
This prevents possibility of a buffer overread or underrun.
Also add audit comment to express the intent why policy table
is not used in this API.

Change-Id: I023bbf3789498f315fd1bff8db8ef8257abb2b04
CRs-Fixed: 2058580

utils/fwlog/dbglog_host.c

@@ -4161,6 +4161,10 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
 	struct dbglog_slot *slot = NULL;
 	struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_MAX + 1];
 
+	/*
+	 * audit note: it is ok to pass a NULL policy here since a
+	 * length check on the data is added later already
+	 */
 	if (nla_parse(tb, CLD80211_ATTR_MAX, data, data_len, NULL)) {
 		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: nla parse fails \n",
 							__func__));
@@ -4172,6 +4176,12 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
 								__func__));
 		return;
 	}
+
+	if (nla_len(tb[CLD80211_ATTR_DATA]) != sizeof(struct dbglog_slot)) {
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: attr length check fails\n",
+				__func__));
+		return;
+	}
 	slot = (struct dbglog_slot *)nla_data(tb[CLD80211_ATTR_DATA]);
 
 	if (!slot) {