qcacmn: Fix out of bound access in extract_single_phyerr_tlv

Bufp and buf_len are populated in extract_comb_phyerr_tlv
without validating the buf_len which can cause possible
out of bound access in dfs_phyerr_event_handler.

Fix is to validate the buf_len against num_bufp in param_tlvs.

Change-Id: I95e18d7600f8419f31e768fcc18c3024fe37b7db
CRs-Fixed: 2321371

wmi/src/wmi_unified_tlv.c

@@ -19403,6 +19403,13 @@ static QDF_STATUS extract_comb_phyerr_tlv(wmi_unified_t wmi_handle,
 	phyerr->tsf64 = pe_hdr->tsf_l32;
 	phyerr->tsf64 |= (((uint64_t)pe_hdr->tsf_u32) << 32);
 	phyerr->bufp = param_tlvs->bufp;
+
+	if (pe_hdr->buf_len > param_tlvs->num_bufp) {
+		WMI_LOGD("Invalid buf_len %d, num_bufp %d",
+			 pe_hdr->buf_len, param_tlvs->num_bufp);
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	phyerr->buf_len = pe_hdr->buf_len;
 	phyerr->phy_err_mask0 = pe_hdr->rsPhyErrMask0;
 	phyerr->phy_err_mask1 = pe_hdr->rsPhyErrMask1;