qcacld-3.0: Possible integer overflow in hdd apf read memory cb

In hdd_apf_read_memory_cb, context buffer length is checked
against sum of packet offset and event length, packet offset
and event length are extracted from FW response and can lead
to integer overflow, which will allow to pass the length check
and eventually will lead to buffer overwrite when event data is
copied to context buffer.

To avoid this issue, validate the event length against the
available length in the context buffer, which can be obtained
by getting difference of packet offset from the context buffer
length.

Change-Id: I53798e56403f1c550f0a762645ccd67a1dc8500d
CRs-fixed: 2436502

core/hdd/src/wlan_hdd_apf.c

@@ -472,7 +472,8 @@ hdd_apf_read_memory_callback(void *hdd_context,
 	 */
 	pkt_offset = evt->offset - context->offset;
 
-	if (context->buf_len < pkt_offset + evt->length) {
+	if ((pkt_offset > context->buf_len) ||
+	    (context->buf_len - pkt_offset < evt->length)) {
 		hdd_err("Read chunk exceeding allocated space");
 		return;
 	}