qcacld-3.0: Check channel_count while handling DCC update ndl event

Invalid channel_count may be sent to driver by user with
QCA_NL80211_VENDOR_SUBCMD_DCC_UPDATE_NDL vendor command, and may also
pass the sanity check with update_ndl_param->dcc_ndl_chan_list_len as
integer overflow, in send_dcc_update_ndl_cmd_tlv. This leads to heap
overflow while updating NDL per channel.

Fix is to validate channel count sent by user in
__wlan_hdd_cfg80211_dcc_update_ndl before accessing it.

Change-Id: Icf385dd5618fcdbdbf427062fe581fa7d3909882
CRs-Fixed: 2339182

core/hdd/src/wlan_hdd_ocb.c

@@ -1911,6 +1911,12 @@ static int __wlan_hdd_cfg80211_dcc_update_ndl(struct wiphy *wiphy,
 	ndl_active_state_array = nla_data(
 		tb[QCA_WLAN_VENDOR_ATTR_DCC_UPDATE_NDL_ACTIVE_STATE_ARRAY]);
 
+	/* Check channel count. Per 11p spec, max 2 channels allowed */
+	if (!channel_count || channel_count > TGT_NUM_OCB_CHANNELS) {
+		hdd_err("Invalid channel_count %d", channel_count);
+		return -EINVAL;
+	}
+
 	request = osif_request_alloc(&params);
 	if (!request) {
 		hdd_err("Request allocation failure");