qcacld-3.0: Fix OOB read in lim_process_deauth_frame

In the API lim_process_deauth_frame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.

Fix is to have a min length check of 16 bits for the
reason code before accessing it.

Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2249768

core/mac/src/pe/lim/lim_process_deauth_frame.c

@@ -75,6 +75,11 @@ lim_process_deauth_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo,
 
 	pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo);
 	frame_rssi = (int32_t)WMA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo);
+	frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+	if (frameLen < sizeof(reasonCode)) {
+		pe_err("Deauth Frame length invalid %d", frameLen);
+		return ;
+	}
 
 	if (LIM_IS_STA_ROLE(psessionEntry) &&
 	    ((eLIM_SME_WT_DISASSOC_STATE == psessionEntry->limSmeState) ||
@@ -126,7 +131,6 @@ lim_process_deauth_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo,
 
 		/* If the frame received is unprotected, forward it to the supplicant to initiate */
 		/* an SA query */
-		frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
 
 		/* send the unprotected frame indication to SME */
 		lim_send_sme_unprotected_mgmt_frame_ind(pMac, pHdr->fc.subType,