qcacmn: Fix possible OOB read in extract_hw_mode_cap_service_ready_ext_tlv

When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_hw_mode_cap_service_ready_ext_tlv is called to
update the soc caps and other capabilities to the host. hw_caps
is extracted directly from the param_buf value received from the
firmware and hw_caps->num_hw_modes is used to traverse
through the hw_mode_caps and update the values to it from the
param_buf->hw_mode_caps, need validate hw_caps->num_hw_modes and
param_buf->hw_mode_caps before use them.

Change-Id: I459f0afce7701ddf1d041912e3406643d27a7f9c
CRs-Fixed: 2336910

wmi/src/wmi_unified_tlv.c

@@ -9320,6 +9320,12 @@ static QDF_STATUS extract_hw_mode_cap_service_ready_ext_tlv(
 	if (!hw_caps)
 		return QDF_STATUS_E_INVAL;
 
+	if (!hw_caps->num_hw_modes ||
+	    !param_buf->hw_mode_caps ||
+	    hw_caps->num_hw_modes > PSOC_MAX_HW_MODE ||
+	    hw_caps->num_hw_modes > param_buf->num_hw_mode_caps)
+		return QDF_STATUS_E_INVAL;
+
 	if (hw_mode_idx >= hw_caps->num_hw_modes)
 		return QDF_STATUS_E_INVAL;