qcacld-3.0: Handle OOB access from mcs rate array

Currently when host driver tries to give the max ht rate, if
report_max is false it first loops through the rssi_mcs_tbl
to find the entry where rssi is greater than rssi received
from fw and sets that index as mcs index. Then sets this mcs
index to fw advertised tx mcs value if tx mcs is larger.
Then it tries to find the data rate from supported_mcs_rate_nss
table. If mcs index is greater than 7 this leads to OOB access.

To address above issue, limit mcs index to 7 if higher value
is obtained.

Change-Id: I11f5ed42ed9cb0adba0f7c50bfcf325bf58e74e9
CRs-Fixed: 3639109

core/hdd/src/wlan_hdd_stats.c

@@ -99,6 +99,8 @@
 
 #define MAX_RSSI_MCS_INDEX 14
 
+#define MAX_HT_MCS_INDEX 7
+
 /* 11B, 11G Rate table include Basic rate and Extended rate
  * The IDX field is the rate index
  * The HI field is the rate when RSSI is strong or being ignored
@@ -5839,16 +5841,19 @@ static void hdd_get_max_rate_ht(struct hdd_station_info *stainfo,
 	}
 
 	if (!report_max) {
-		for (i = 0; i < mcsidx; i++) {
+		for (i = 0; i < MAX_HT_MCS_INDEX && i < mcsidx; i++) {
 			if (rssi <= rssi_mcs_tbl[mode][i]) {
 				mcsidx = i;
 				break;
 			}
 		}
-		if (mcsidx < stats->tx_rate.mcs)
+		if (mcsidx < stats->tx_rate.mcs &&
+		    stats->tx_rate.mcs <= MAX_HT_MCS_INDEX)
 			mcsidx = stats->tx_rate.mcs;
 	}
 
+	if (mcsidx > MAX_HT_MCS_INDEX)
+		mcsidx = MAX_HT_MCS_INDEX;
 	tmprate = supported_mcs_rate[mcsidx].supported_rate[flag];
 
 	hdd_debug("tmprate %d mcsidx %d", tmprate, mcsidx);