qcacmn: Check the valid of chain mask capabilities number

The pointer to chain masks capabilities is increased, and the number
of chainmask capabilities isn't check if valid. Which will cause oob
read list of chain mask capabilities.

Change-Id: I1f11fb49d545a4f88fe4d0734968dbe17c3f1a7e
CRs-Fixed: 2347661

wmi/src/wmi_unified_tlv.c

@@ -9108,6 +9108,7 @@ static QDF_STATUS extract_chainmask_tables_tlv(wmi_unified_t wmi_handle,
 	WMI_MAC_PHY_CHAINMASK_CAPABILITY *chainmask_caps;
 	WMI_SOC_MAC_PHY_HW_MODE_CAPS *hw_caps;
 	uint8_t i = 0, j = 0;
+	uint32_t num_mac_phy_chainmask_caps = 0;
 
 	param_buf = (WMI_SERVICE_READY_EXT_EVENTID_param_tlvs *) event;
 	if (!param_buf)
@@ -9128,6 +9129,26 @@ static QDF_STATUS extract_chainmask_tables_tlv(wmi_unified_t wmi_handle,
 	if (chainmask_caps == NULL)
 		return QDF_STATUS_E_INVAL;
 
+	for (i = 0; i < hw_caps->num_chainmask_tables; i++) {
+		if (chainmask_table[i].num_valid_chainmasks >
+		    (UINT_MAX - num_mac_phy_chainmask_caps)) {
+			wmi_err_rl("integer overflow, num_mac_phy_chainmask_caps:%d, i:%d, um_valid_chainmasks:%d",
+				   num_mac_phy_chainmask_caps, i,
+				   chainmask_table[i].num_valid_chainmasks);
+			return QDF_STATUS_E_INVAL;
+		}
+		num_mac_phy_chainmask_caps +=
+			chainmask_table[i].num_valid_chainmasks;
+	}
+
+	if (num_mac_phy_chainmask_caps >
+	    param_buf->num_mac_phy_chainmask_caps) {
+		wmi_err_rl("invalid chainmask caps num, num_mac_phy_chainmask_caps:%d, param_buf->num_mac_phy_chainmask_caps:%d",
+			   num_mac_phy_chainmask_caps,
+			   param_buf->num_mac_phy_chainmask_caps);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	for (i = 0; i < hw_caps->num_chainmask_tables; i++) {
 
 		qdf_print("Dumping chain mask combo data for table : %d", i);