qcacld-3.0: Fix potential buffer overflow in wlan_hdd_cfg80211_set_ie

In function wlan_hdd_cfg80211_set_ie, RSN IE is parsed and copied
into the buffer  for length eLen + 2.
However, the buffer WPARSNIE is allocated only for
size. If eLen + 2 is greater than MAX_WPA_RSN_IE_LEN, a buffer overflow
would occur.

Add sanity check to make sure eLen does not exceed MAX_WPA_RSN_IE_LEN - 2.
Also increase the size of  to 255 as per the spec

Change-Id: Ibf44e8dc1010e6e32b2262357d3aa180926d5c99
CRs-Fixed: 2154216

core/hdd/inc/wlan_hdd_wext.h

@@ -153,7 +153,7 @@ enum hdd_wlan_wmm_ts_info_ack_policy {
 };
 
 /** Maximum Length of WPA/RSN IE */
-#define MAX_WPA_RSN_IE_LEN 40
+#define MAX_WPA_RSN_IE_LEN 255
 
 /** Enable 11d */
 #define ENABLE_11D  1

core/hdd/src/wlan_hdd_cfg80211.c

@@ -16889,6 +16889,11 @@ static int wlan_hdd_cfg80211_set_ie(struct hdd_adapter *adapter,
 			break;
 		case DOT11F_EID_RSN:
 			hdd_debug("Set RSN IE(len %d)", eLen + 2);
+			if (eLen > (MAX_WPA_RSN_IE_LEN - 2)) {
+				hdd_err("%s: Invalid WPA RSN IE length[%d]",
+					__func__, eLen);
+				return -EINVAL;
+			}
 			memset(pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN);
 			memcpy(pWextState->WPARSNIE, genie - 2,
 			       (eLen + 2));