qcacmn: Fix possible OOB in extract_ocb_dcc_stats_tlv

The correct element number of param_tlvs->stats_per_channel_list is
actually param_tlvs->num_stats_per_channel_list and thus the
qdf_mem_copy() can actually copy more bytes than are in the buffer
causing a buffer overread.

Fix it by checking fix_param->num_channels against the actually
param_tlvs->num_stats_per_channel_list before doing memory copy.

Change-Id: I610920ac1d0a927a52de83935616e8e8fdfec7e7
CRs-Fixed: 2428212

wmi/src/wmi_unified_ocb_tlv.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -742,9 +742,11 @@ static QDF_STATUS extract_ocb_dcc_stats_tlv(wmi_unified_t wmi_handle,
 
 	/* Allocate and populate the response */
 	if (fix_param->num_channels > ((WMI_SVC_MSG_MAX_SIZE -
-	    sizeof(*fix_param)) / sizeof(wmi_dcc_ndl_stats_per_channel))) {
-		WMI_LOGE("%s: too many channels:%d", __func__,
-			 fix_param->num_channels);
+	    sizeof(*fix_param)) / sizeof(wmi_dcc_ndl_stats_per_channel)) ||
+	    fix_param->num_channels > param_tlvs->num_stats_per_channel_list) {
+		WMI_LOGE("%s: too many channels:%d actual:%d", __func__,
+			 fix_param->num_channels,
+			 param_tlvs->num_stats_per_channel_list);
 		QDF_ASSERT(0);
 		*resp = NULL;
 		return QDF_STATUS_E_INVAL;