qcacld-3.0: Fix potential buffer over-read during FILS Association

In function wlan_hdd_send_roam_auth_event, FILS kek is copied to
skb for the vendor command QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_PTK_KEK
for kek_len length. There is no validation for the max value of
kek_len and would lead to an buffer over-read if kek_len exceeds
SIR_KEK_KEY_LEN_FILS.

Add sanity check for kek_len for max limit SIR_KEK_KEY_LEN_FILS
before copying the kek to skb.

Change-Id: I4290909cd2df8686a32d25aa14711db2b899b2eb
CRs-Fixed: 2152985

core/hdd/src/wlan_hdd_cfg80211.c

@@ -5736,13 +5736,15 @@ int wlan_hdd_send_roam_auth_event(struct hdd_adapter *adapter, uint8_t *bssid,
 			hdd_err("failed to send replay counter");
 			goto nla_put_failure;
 		}
-		if (nla_put(skb,
+		if (roam_info_ptr->kek_len > SIR_KEK_KEY_LEN_FILS ||
+		    nla_put(skb,
 			QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_PTK_KCK,
 			SIR_KCK_KEY_LEN, roam_info_ptr->kck) ||
 		    nla_put(skb,
 			QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_PTK_KEK,
 			roam_info_ptr->kek_len, roam_info_ptr->kek)) {
-			hdd_err("nla put fail");
+			hdd_err("nla put fail, kek_len %d",
+				roam_info_ptr->kek_len);
 			goto nla_put_failure;
 		}