qcacld-3.0: Fix channel avoid frequency list corruption

In wlan_hdd_merge_avoid_freqs() there is a test to determine if the
merged frequency list will exceed the size of the destination buffer,
and if so, the function returns an error. Unfortunately the method to
determine overflow actually modifies the information in the
destination list, and so if the error return occurs the destination
list will contain an incorrect, too large, destination list size.
Address this issue by determining if the list will overflow prior to
modifying the destination list size.

Change-Id: I9ede0bc24c676d6a9ef124d83c36ca9860b847f7
CRs-Fixed: 2410138

core/hdd/src/wlan_hdd_cfg80211.c

@@ -860,14 +860,16 @@ int wlan_hdd_merge_avoid_freqs(struct ch_avoid_ind_type *destFreqList,
 		struct ch_avoid_ind_type *srcFreqList)
 {
 	int i;
+	uint32_t room;
 	struct ch_avoid_freq_type *avoid_range =
 	&destFreqList->avoid_freq_range[destFreqList->ch_avoid_range_cnt];
 
-	destFreqList->ch_avoid_range_cnt += srcFreqList->ch_avoid_range_cnt;
+	room = CH_AVOID_MAX_RANGE - destFreqList->ch_avoid_range_cnt;
-	if (destFreqList->ch_avoid_range_cnt > CH_AVOID_MAX_RANGE) {
+	if (srcFreqList->ch_avoid_range_cnt > room) {
 		hdd_err("avoid freq overflow");
 		return -EINVAL;
 	}
+	destFreqList->ch_avoid_range_cnt += srcFreqList->ch_avoid_range_cnt;
 
 	for (i = 0; i < srcFreqList->ch_avoid_range_cnt; i++) {
 		avoid_range->start_freq =