qcacmn: Fix possible buffer overflow in send_scan_start_cmd_tlv

In the function send_scan_start_cmd_tlv(), extraie_len_with_pad
is computed as roundup(params->extraie.len, sizeof(uint32_t)).
But extraie_len_with_pad is of type uint8_t. This causes
integeroverflow of extraie_len_with_pad. The length of the
wmi command buffer for scan command (len) is incremented by
this extraie_len_with_pad to allocate memory for the additional
IEs that are passed from upper layer to the firmware. But when
params->extraie.len is greater than 255, extraie_len_with_pad
overflows and obtains lower value. This causes lower wmi buffer
length allocation but the copy is done for entire
params->extraie.len resulting in overwriting of the skb that is
passed to firmware. This causes host assert when this skb is
freed.

Change the data type of extraie_len_with_pad to uint16_t from
uint8_t as the additional IE sent from upper layer can have a
maximum length of 2048. Also change the data type of len from
int to size_t to avoid overflow of len.

Change-Id: I11fae83a85a3f787b37e47df97ffc4b183cba913
CRs-Fixed: 2405641

wmi/src/wmi_unified_tlv.c

@@ -2452,8 +2452,8 @@ static QDF_STATUS send_scan_start_cmd_tlv(wmi_unified_t wmi_handle,
 	uint32_t *tmp_ptr;
 	wmi_ssid *ssid = NULL;
 	wmi_mac_addr *bssid;
-	int len = sizeof(*cmd);
-	uint8_t extraie_len_with_pad = 0;
+	size_t len = sizeof(*cmd);
+	uint16_t extraie_len_with_pad = 0;
 	uint8_t phymode_roundup = 0;
 	struct probe_req_whitelist_attr *ie_whitelist = &params->ie_whitelist;