qcacld-3.0: Avoid buffer overflow during extscan bucket fill

This is a qcacld-2.0 to qcacld-3.0 propagation.

Function hdd_extscan_start_fill_bucket_channel_spec() is used to
transfer EXTSCAN bucket parameters from a netlink message to an
internal representation.  A code analysis tool identified a potential
buffer overflow of the per-bucket channel list in this function.  In
reality this is a false positive since there is other logic which
limits the total number of channels across all buckets, and this logic
will prevent overflow of the channel list for a single bucket since
they use the same limit.

However this presents a code maintenance issue since a potential
overflow could be introduced in the future if a change is made to
allow the total number of channels across all buckets to exceed the
number of channels allowed in a single bucket.

To protect against this possibility, as well as make the code analysis
tool happy, add an additional check to make sure the per-bucket
channel list does not overflow.

Change-Id: Ifdf2de918d8b2c5a907e833e7bc42315b607e5a5
CRs-Fixed: 922047

core/hdd/src/wlan_hdd_ext_scan.c

@@ -2905,6 +2905,11 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
 		j = 0;
 		nla_for_each_nested(channels,
 			bucket[QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC], rem2) {
+			if ((j >= req_msg->buckets[bkt_index].numChannels) ||
+			    hdd_extscan_channel_max_reached(req_msg,
+							    total_channels))
+				break;
+
 			if (nla_parse(channel,
 				QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
 				nla_data(channels), nla_len(channels),
@@ -2913,10 +2918,6 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
 				return -EINVAL;
 			}
 
-			if (hdd_extscan_channel_max_reached(req_msg,
-							    total_channels))
-				break;
-
 			/* Parse and fetch channel */
 			if (!channel[
 				QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_CHANNEL]) {