qcacld-3.0: Avoid integer overflow in wma_rx_aggr_failure_event_handler

Add sanity check to ensure num_failure_info from FW does not cause
integer overflow while calculating alloc_len, as alloc_len is in
turn used to malloc which can lead to less than required memory
allocated in case of integer overflow of alloc_len

Change-Id: Iea93e879196e9cd43856a7dcc9204d2304f76c78
CRs-Fixed: 2114789

core/wma/src/wma_features.c

@@ -5333,6 +5333,15 @@ int wma_rx_aggr_failure_event_handler(void *handle, u_int8_t *event_buf,
 	rx_aggr_failure_info = param_buf->fixed_param;
 	hole_info = param_buf->failure_info;
 
+	if (rx_aggr_failure_info->num_failure_info > ((WMI_SVC_MSG_MAX_SIZE -
+	    sizeof(*rx_aggr_hole_event)) /
+	    sizeof(rx_aggr_hole_event->hole_info_array[0]))) {
+		WMA_LOGE("%s: Excess data from WMI num_failure_info %d",
+			 __func__, rx_aggr_failure_info->num_failure_info);
+		QDF_ASSERT(0);
+		return -EINVAL;
+	}
+
 	alloc_len = sizeof(*rx_aggr_hole_event) +
 		(rx_aggr_failure_info->num_failure_info)*
 		sizeof(rx_aggr_hole_event->hole_info_array[0]);