qcacld-3.0: Fix OOB write in wma_roam_synch_event_handler

The routine wma_roam_synch_event_handler sends roam indication to the
upper layers. It uses the vdev_id of the synch event to pass the roaming
indication for the vdev session. If the vdevid exceeds the max_bssid
supported, then OOB write occurs in wma_roam_synch_event_handler.

Add check to validate vdev doesnot exceed the maximum bssid configured.
Add check to ensure vdev doesnot exceed max_bssid and return error if
violated.

Change-Id: Ief8b5070fd6cbb375900e2816524dbd946c5238d
CRs-Fixed: 2206569

core/wma/src/wma_scan_roam.c

@@ -2226,6 +2226,12 @@ int wma_roam_synch_event_handler(void *handle, uint8_t *event,
 		goto cleanup_label;
 	}
 
+	if (synch_event->vdev_id >= wma->max_bssid) {
+		WMA_LOGE("%s: received invalid vdev_id %d",
+				__func__, synch_event->vdev_id);
+		return status;
+	}
+
 	if (synch_event->bcn_probe_rsp_len >
 	    param_buf->num_bcn_probe_rsp_frame ||
 	    synch_event->reassoc_req_len >
@@ -2238,11 +2244,6 @@ int wma_roam_synch_event_handler(void *handle, uint8_t *event,
 			synch_event->reassoc_rsp_len);
 		goto cleanup_label;
 	}
-	if (synch_event->vdev_id >= wma->max_bssid) {
-		WMA_LOGE("%s: received invalid vdev_id %d",
-			 __func__, synch_event->vdev_id);
-		goto cleanup_label;
-	}
 
 	wlan_roam_debug_log(synch_event->vdev_id, DEBUG_ROAM_SYNCH_IND,
 			    DEBUG_INVALID_PEER_ID, NULL, NULL,