qcacld-3.0: Possible OOB access in wlan_hdd_cfg80211_start_bss()

Currently in function wlan_hdd_cfg80211_start_bss(), copying
supported rates and extended rates from information element pointer
without checking for array bounds which may cause OOB access.

To address this issue, add length checks before copying supported
rates and extended rates.

Change-Id: Ic6363e97bb3498a5dd23bc5e5f9b9f3ce093509d
CRs-Fixed: 2312995

core/hdd/src/wlan_hdd_hostapd.c

@@ -4992,6 +4992,12 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *adapter,
 
 		if (pIe != NULL) {
 			pIe++;
+			if (pIe[0] > SIR_MAC_RATESET_EID_MAX) {
+				hdd_err("Invalid supported rates %d",
+					pIe[0]);
+				ret = -EINVAL;
+				goto error;
+			}
 			pConfig->supported_rates.numRates = pIe[0];
 			pIe++;
 			for (i = 0;
@@ -5008,6 +5014,12 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *adapter,
 					       pBeacon->tail_len);
 		if (pIe != NULL) {
 			pIe++;
+			if (pIe[0] > SIR_MAC_RATESET_EID_MAX) {
+				hdd_err("Invalid supported rates %d",
+					pIe[0]);
+				ret = -EINVAL;
+				goto error;
+			}
 			pConfig->extended_rates.numRates = pIe[0];
 			pIe++;
 			for (i = 0; i < pConfig->extended_rates.numRates; i++) {