qcacmn: Fix bounds check in populate_mac_phy_capability

In populate_mac_phy_capability, bounds on an array are checked after
writing to the array. This leads to writing to one past the end of the
array under error conditions. Check the bounds of the array before,
rather than after, writing to it in populate_mac_phy_capability.

Change-Id: I34c7415b8fb925bea5a715214e3aa3ac8a4bacc8
CRs-Fixed: 2059155

target_if/init_deinit/src/service_ready_event_handler.c

@@ -168,6 +168,12 @@ static int populate_mac_phy_capability(void *handle, uint8_t *evt,
 
 	mac_phy_id = 0;
 	while (phy_bit_map) {
+		if (*total_mac_phy >= PSOC_MAX_MAC_PHY_CAP) {
+			WMI_LOGE("total mac phy exceeds max limit %d",
+				*total_mac_phy);
+			return -EINVAL;
+		}
+
 		status = wmi_extract_mac_phy_cap_service_ready_ext(handle,
 				evt, hw_mode_id, mac_phy_id,
 				&(service_param->mac_phy_cap[*total_mac_phy]));
@@ -175,12 +181,8 @@ static int populate_mac_phy_capability(void *handle, uint8_t *evt,
 			WMI_LOGE("failed to parse mac phy capability");
 			return qdf_status_to_os_return(status);
 		}
+
 		(*total_mac_phy)++;
-		if (*total_mac_phy > PSOC_MAX_MAC_PHY_CAP) {
-			WMI_LOGE("total mac phy exceeds max limit %d",
-				*total_mac_phy);
-			return -EINVAL;
-		}
 		phy_bit_map &= (phy_bit_map - 1);
 		mac_phy_id++;
 	}