qcacmn: Fix possible OOB write in wlan_ftm_process_utf_event

The function wlan_ftm_process_utf_event, is invoked upon the
reception of the WMI event WMI_PDEV_UTF_EVENTID. The event_buf
argument to it is fully FW controlled.  There are two issues
here:
1. event.datalen of type uint32_t is assigned to utf_datalen of
type uint16_t which can lead to a possible integer underflow.
2. utf_datalen is calculated as the difference of event.datalen
and sizeof(seghdr_info), without validating if datalen is not
less than sizeof(seghdr_info). This could cause a potential OOB
write as utf_datalen is used as the size to copy utf_data to
ftm_pdev_obj->data.

Add fix to change the type of utf_datalen to uint32_t.

Change-Id: Ibd61b4ef8cd514d43f212174e745b1c76af1047d
CRs-Fixed: 2305477

ftm/dispatcher/src/wlan_ftm_ucfg_api.c

@@ -51,7 +51,7 @@ wlan_ftm_process_utf_event(struct wlan_objmgr_pdev *pdev,
 			    uint8_t *event_buf, uint32_t len)
 {
 	struct wifi_ftm_pdev_priv_obj *ftm_pdev_obj;
-	u_int16_t utf_datalen;
+	uint32_t utf_datalen;
 	uint8_t *utf_data;
 	struct ftm_seg_hdr_info seghdr_info;
 	u_int8_t total_segments, current_seq;
@@ -82,6 +82,11 @@ wlan_ftm_process_utf_event(struct wlan_objmgr_pdev *pdev,
 		}
 	}
 
+	if ((len > FTM_CMD_MAX_BUF_LENGTH) ||
+	    (ftm_pdev_obj->offset > (FTM_CMD_MAX_BUF_LENGTH - utf_datalen))) {
+		ftm_err("Invalid utf data len :%d", len);
+		return QDF_STATUS_E_FAILURE;
+	}
 	qdf_mem_copy(&ftm_pdev_obj->data[ftm_pdev_obj->offset],
 			&utf_data[sizeof(seghdr_info)], utf_datalen);