qcacld-3.0: Possible buff overflow in sir_convert_assoc_resp_frame2_struct

After parsing of Re/Association Response frame,
sir_convert_assoc_resp_frame2_struct populates association response
structure sSirAssocRsp. In case if FEATURE_WLAN_ESE is enabled,
the host runs a loop to memcopy for all WMM TSPEC info from the parsed
buffer to association response structure.
Currently, While copying parsed data to sSirAssocRsp,
sir_convert_assoc_resp_frame2_struct is passing (sizeof(tDot11fIEWMMTSPEC)
* ar->num_WMMTSPEC)) as length argument to qdf_mem_copy to copy individual
TSPECInfo. Which could result to buffer overflow, as size of per
TSPECInfo is only sizeof(tDot11fIEWMMTSPEC).

Pass correct length to qdf_mem_copy while coping TSPECInfo.

Change-Id: I9c74e3bbd387fda736a715625260d95c67f03ecc
CRs-Fixed: 2254946

core/mac/src/sys/legacy/src/utils/src/parser_api.c

@@ -3124,8 +3124,7 @@ sir_convert_assoc_resp_frame2_struct(tpAniSirGlobal pMac,
 		for (cnt = 0; cnt < ar->num_WMMTSPEC; cnt++) {
 			qdf_mem_copy(&pAssocRsp->TSPECInfo[cnt],
 					&ar->WMMTSPEC[cnt],
-					(sizeof(tDot11fIEWMMTSPEC) *
-					 ar->num_WMMTSPEC));
+					sizeof(tDot11fIEWMMTSPEC));
 		}
 		pAssocRsp->tspecPresent = true;
 	}