qcacld-3.0: Check the length of IE's before appending

Check the length of the IE's before appending them
and storing them in the session in
lim_process_update_add_ies.

Change-Id: I70d26638a58998c82a8810d7c2181d1f24c56e19
CRs-Fixed: 2119729

core/mac/src/pe/lim/lim_process_sme_req_messages.c

@@ -5614,8 +5614,18 @@ static void lim_process_update_add_ies(tpAniSirGlobal mac_ctx,
 		if (update_ie->append) {
 			/*
 			 * In case of append, allocate new memory
-			 * with combined length
+			 * with combined length.
+			 * Multiple back to back append commands
+			 * can lead to a huge length.So, check
+			 * for the validity of the length.
 			 */
+			if (addn_ie->probeRespDataLen >
+				(USHRT_MAX - update_ie->ieBufferlength)) {
+				pe_err("IE Length overflow, curr:%d, new:%d",
+					addn_ie->probeRespDataLen,
+					update_ie->ieBufferlength);
+				goto end;
+			}
 			new_length = update_ie->ieBufferlength +
 				addn_ie->probeRespDataLen;
 			new_ptr = qdf_mem_malloc(new_length);