qcacld-3.0: Validate sessionId before use in csr_roam_substate_change

csr_roam_set_bss_config_cfg invokes csr_roam_substate_change
with sessionId as one argument to change roam substate. In
csr_roam_substate_change, sessionId is uses as index of array
curSubState of max allowed index CSR_ROAM_SESSION_MAX(5). But
there is no any check present in csr_roam_substate_change to
validate sessionId against maximum allowed concurrent sessions.
This results Out-of-Bound access if sessionId >=
CSR_ROAM_SESSION_MAX.

Add check for sessionId against CSR_ROAM_SESSION_MAX in
csr_roam_substate_change.

Change-Id: Iae7da836001a9ccbec77cdc64df27b259f15bf4e
CRs-Fixed: 2268547

core/sme/src/csr/csr_api_roam.c

@@ -1551,6 +1551,11 @@ void csr_release_command_wm_status_change(tpAniSirGlobal pMac,
 void csr_roam_substate_change(tpAniSirGlobal pMac,
 		enum csr_roam_substate NewSubstate, uint32_t sessionId)
 {
+	if (sessionId >= CSR_ROAM_SESSION_MAX) {
+		sme_err("Invalid no of concurrent sessions %d",
+			  sessionId);
+		return;
+	}
 	sme_debug("CSR RoamSubstate: [ %s <== %s ]",
 		mac_trace_getcsr_roam_sub_state(NewSubstate),
 		mac_trace_getcsr_roam_sub_state(pMac->roam.
@@ -5542,6 +5547,10 @@ QDF_STATUS csr_roam_set_bss_config_cfg(tpAniSirGlobal pMac, uint32_t sessionId,
 	uint32_t cfgCb = WNI_CFG_CHANNEL_BONDING_MODE_DISABLE;
 	uint8_t channel = 0;
 	struct csr_roam_session *pSession = CSR_GET_SESSION(pMac, sessionId);
+	if (!pSession) {
+		sme_err("session %d not found", sessionId);
+		return QDF_STATUS_E_FAILURE;
+	}
 
 	/* Make sure we have the domain info for the BSS we try to connect to.
 	 * Do we need to worry about sequence for OSs that are not Windows??