qcacld-3.0: Prevent possible OOB access in hdd_sendactionframe

In the function hdd_sendactionframe, the parameters passed include the
payload and the corresponding payload length; payload being generic
pointer. The payload is then typecasted into the destination structure
of type tpSirMacVendorSpecificFrameHdr. If the size of the payload
specified in payload_len is less than the size of the destination
structure, there is possiblility of OOB read while accessing the same.

To prevent this security vulnerability, add a sanity check for the
payload_len against the size of the destination structure.

Change-Id: Ib0e7b7bfcf78412d81f18cf887e5296d80272598
CRs-Fixed: 2517858

core/hdd/src/wlan_hdd_ioctl.c

@@ -1540,6 +1540,11 @@ hdd_sendactionframe(struct hdd_adapter *adapter, const uint8_t *bssid,
 	struct cfg80211_mgmt_tx_params params;
 #endif
 
+	if (payload_len < sizeof(tSirMacVendorSpecificFrameHdr)) {
+		hdd_warn("Invalid payload length: %d", payload_len);
+		return -EINVAL;
+	}
+
 	if (QDF_STA_MODE != adapter->device_mode) {
 		hdd_warn("Unsupported in mode %s(%d)",
 			 qdf_opmode_str(adapter->device_mode),