qcacmn: Sanity check on the incoming PTT cmd

In ptt_cmd_handler(), validate that the command attribute is of
minimum allowed size. This prevents parsing of rogue command
format. Also add audit comment to express the intent why policy
table is not used while using nla_parse API.

Change-Id: Ia2da6c88245190aad9a00110059fd6dcfda8a9fa
CRs-Fixed: 2058353

utils/ptt/src/wlan_ptt_sock_svc.c

@@ -268,6 +268,10 @@ static void ptt_cmd_handler(const void *data, int data_len, void *ctx, int pid)
 	ptt_app_reg_req *payload;
 	struct nlattr *tb[CLD80211_ATTR_MAX + 1];
 
+	/*
+	 * audit note: it is ok to pass a NULL policy here since a
+	 * length check on the data is added later already
+	 */
 	if (nla_parse(tb, CLD80211_ATTR_MAX, data, data_len, NULL)) {
 		PTT_TRACE(QDF_TRACE_LEVEL_ERROR, "Invalid ATTR");
 		return;
@@ -278,6 +282,12 @@ static void ptt_cmd_handler(const void *data, int data_len, void *ctx, int pid)
 		return;
 	}
 
+	if (nla_len(tb[CLD80211_ATTR_DATA]) < sizeof(struct ptt_app_reg_req)) {
+		PTT_TRACE(QDF_TRACE_LEVEL_ERROR, "%s:attr length check fails\n",
+			__func__);
+		return;
+	}
+
 	payload = (ptt_app_reg_req *)(nla_data(tb[CLD80211_ATTR_DATA]));
 	switch (payload->wmsg.type) {
 	case ANI_MSG_APP_REG_REQ: