qcacld-3.0: Fix possible overflow in wma_stats_event_handler

The excess buffer check in wma_stats_event_handler is such that
if buflen is greater than WMI_SVC_MSG_MAX_SIZE, the resulting
difference of the two values will be a negative integer, which
will be treated as a very large positive integer since the data type
is unsigned. This will result in the check failing to detect overflow
when compared with sizeof(*event).

Fix the buflen check condition such that buflen is compared with the
difference of WMI_SVC_MSG_MAX_SIZE and sizeof(*event), eliminating
the possibility of overflow.

Change-Id: Ic20bfa554476db36e28557402cec23fcce5af85d
CRs-Fixed: 2224443

core/wma/src/wma_utils.c

@@ -3095,7 +3095,7 @@ int wma_stats_event_handler(void *handle, uint8_t *cmd_param_info,
 	} while (0);
 
 	if (excess_data ||
-		(sizeof(*event) > WMI_SVC_MSG_MAX_SIZE - buf_len)) {
+		(buf_len > WMI_SVC_MSG_MAX_SIZE - sizeof(*event))) {
 		WMA_LOGE("excess wmi buffer: stats pdev %d vdev %d peer %d",
 			 event->num_pdev_stats, event->num_vdev_stats,
 			 event->num_peer_stats);