qcacmn: Fix possible OOB read in extract_chainmask_tables_tlv

When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_chainmask_tables_tlv is called to update the
soc caps and other capabilities to the host. hw_caps is
extracted directly from the param_buf value received from the
firmware and hw_caps->num_chainmask_tables is used to traverse
through the chainmask table and update the values to it from the
param_buf->mac_phy_chainmask_caps. hw_caps->num_chainmask_tables
is validated against PSOC_MAX_CHAINMASK_TABLES but not against
param_buf->num_mac_phy_chainmask_combo. This can cause potential
out of bound read in extract_chainmask_tables_tlv.

Validate the value of the hw_caps->num_chainmask_tables received
from the firmware against param_buf->num_mac_phy_chainmask_combo
before updating chainmask_table.

Change-Id: Ibf438760a9219f4ff82d29b42aa30f4dcf626364
CRs-Fixed: 2336842

wmi_unified_tlv.c

@@ -8890,7 +8890,9 @@ static QDF_STATUS extract_chainmask_tables_tlv(wmi_unified_t wmi_handle,
 		return QDF_STATUS_E_INVAL;
 
 	if ((!hw_caps->num_chainmask_tables) ||
-	    (hw_caps->num_chainmask_tables > PSOC_MAX_CHAINMASK_TABLES))
+	    (hw_caps->num_chainmask_tables > PSOC_MAX_CHAINMASK_TABLES) ||
+	    (hw_caps->num_chainmask_tables >
+	     param_buf->num_mac_phy_chainmask_combo))
 		return QDF_STATUS_E_INVAL;
 
 	chainmask_caps = param_buf->mac_phy_chainmask_caps;