qcacld-3.0: Fix possible OOB access in lim_process_auth_frame

Key id is extracted from data buffer without validating
len of data which could result in out of bound access.

Fix is to validate frame len before extracting key id
from data buffer.

Change-Id: I1f4d88b7ca6201f03a6bc8e6915f1479f571838f
CRs-Fixed: 2254141

core/mac/src/pe/lim/lim_process_auth_frame.c

@@ -1149,6 +1149,10 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 
 	body_ptr = WMA_GET_RX_MPDU_DATA(rx_pkt_info);
 
+	if (frame_len < 2) {
+		pe_err("invalid frame len: %d", frame_len);
+		return;
+	}
 	auth_alg = *(uint16_t *) body_ptr;
 	pe_debug("auth_alg %d ", auth_alg);
 
@@ -1197,6 +1201,10 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 					mac_hdr->sa, pe_session, false);
 			goto free;
 		}
+		if (frame_len < 4) {
+			pe_err("invalid frame len: %d", frame_len);
+			goto free;
+		}
 		/* Extract key ID from IV (most 2 bits of 4th byte of IV) */
 		key_id = (*(body_ptr + 3)) >> 6;