qcacld-3.0: Fix possible roam_synch_frame_event handler OOB

The length attributes for all message frames are retrieved from
param_buf->fixed_param rather than using the correct TLV length values.
This can result in multiple buffer overreads due to the fact that the
param_buf->fixed_param lengths are never properly checked against the
original TLV buffer.

Add check param_buf->fixed_param lengths against the TLV buffer to
prevent OOB happen.

Change-Id: Ib6e2c847b9a2cc7bfe1233eb1f8214be75f21850
CRs-Fixed: 2304631

core/wma/src/wma_scan_roam.c

@@ -2534,6 +2534,22 @@ int wma_roam_synch_frame_event_handler(void *handle, uint8_t *event,
 		return status;
 	}
 
+	if (synch_frame_event->bcn_probe_rsp_len >
+	    param_buf->num_bcn_probe_rsp_frame ||
+	    synch_frame_event->reassoc_req_len >
+	    param_buf->num_reassoc_req_frame ||
+	    synch_frame_event->reassoc_rsp_len >
+	    param_buf->num_reassoc_rsp_frame) {
+		WMA_LOGE("fixed/actual len err: bcn:%d/%d req:%d/%d rsp:%d/%d",
+			 synch_frame_event->bcn_probe_rsp_len,
+			 param_buf->num_bcn_probe_rsp_frame,
+			 synch_frame_event->reassoc_req_len,
+			 param_buf->num_reassoc_req_frame,
+			 synch_frame_event->reassoc_rsp_len,
+			 param_buf->num_reassoc_rsp_frame);
+		return status;
+	}
+
 	vdev_id = synch_frame_event->vdev_id;
 	iface = &wma->interfaces[vdev_id];