qcacld-3.0: Fix potential buffer overwrite in the htt_t2h_lp_msg_handler

qcacld-2.0 to qcacld-3.0 propagation

Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.

Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705

core/dp/txrx/ol_tx_desc.h

@@ -131,6 +131,9 @@ ol_tx_desc_find_check(struct ol_txrx_pdev_t *pdev, u_int16_t tx_desc_id)
 {
 	struct ol_tx_desc_t *tx_desc;
 
+	if (tx_desc_id >= pdev->tx_desc.pool_size)
+		return NULL;
+
 	tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
 
 	if (tx_desc->pkt_type == ol_tx_frm_freed)
@@ -146,6 +149,9 @@ ol_tx_desc_find_check(struct ol_txrx_pdev_t *pdev, u_int16_t tx_desc_id)
 {
 	struct ol_tx_desc_t *tx_desc;
 
+	if (tx_desc_id >= pdev->tx_desc.pool_size)
+		return NULL;
+
 	tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
 
 	/* check against invalid tx_desc_id */