qcacld-3.0: Fix possible OOB in wma_pdev_div_info_evt_handler

In the function wma_pdev_div_info_evt_handler, while handling
WMI_PDEV_DIV_RSSI_ANTID_EVENTID  event, the corresponding event
handler wma_pdev_div_info_evt_handler is invoked. In  the
function wma_pdev_div_info_evt_handler, event_buf argument comes
directly from firmware and event parameter is pulled from event
buf. The event->num_chains_valid is used as the maximum bound on
the array index of chain_rssi[] array which has a maximum limit
of CHAIN_MAX_NUM(8). When event->num_chains_valid has a value
greater than this maximum limit, OOB write could occur.

Add check to validate the event->num_chains_valid against
CHAIN_MAX_NUM(8) and return failure if it exceeds.

Change-Id: I40f1aa8a7b4bcffef3cab588c78c700e88e24673
CRs-Fixed: 2304662

core/wma/src/wma_features.c

@@ -5784,20 +5784,24 @@ int wma_pdev_div_info_evt_handler(void *handle, u_int8_t *event_buf,
 		return -EINVAL;
 	}
 
+	if (event->num_chains_valid > CHAIN_MAX_NUM) {
+		WMA_LOGE(FL("Invalid num of chains"));
+		return -EINVAL;
+	}
+
 	WMI_MAC_ADDR_TO_CHAR_ARRAY(&event->macaddr, macaddr);
 	WMA_LOGD(FL("macaddr: " MAC_ADDRESS_STR), MAC_ADDR_ARRAY(macaddr));
 
 	WMA_LOGD(FL("num_chains_valid: %d"), event->num_chains_valid);
 	chain_rssi_result.num_chains_valid = event->num_chains_valid;
 
-	for (i = 0; i < CHAIN_MAX_NUM; i++)
-		WMA_LOGD(FL("chain_rssi: %d, ant_id: %d"),
-			event->chain_rssi[i], event->ant_id[i]);
-
 	qdf_mem_copy(chain_rssi_result.chain_rssi, event->chain_rssi,
 				sizeof(event->chain_rssi));
-	for (i = 0; i < event->num_chains_valid; i++)
+	for (i = 0; i < event->num_chains_valid; i++) {
+		WMA_LOGD(FL("chain_rssi: %d, ant_id: %d"),
+			 event->chain_rssi[i], event->ant_id[i]);
 		chain_rssi_result.chain_rssi[i] += WMA_TGT_NOISE_FLOOR_DBM;
+	}
 
 	qdf_mem_copy(chain_rssi_result.ant_id, event->ant_id,
 				sizeof(event->ant_id));