qcacld-3.0: Integer overflow in wma_unified_link_peer_stats_event_handler

In wma_unified_link_peer_stats_event_handler a check for excess WMI
buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and
buffer length with size of wmi_peer_stats_event_fixed_param. In case the
buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer
length is an unsigned integer, it causes an integer overflow and results
in a very large value, thus invalidating the check.

Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size
of wmi_peer_stats_event_fixed_param with the buffer length which
prevents chance of integer overflow.

Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff
CRs-Fixed: 2224451

core/wma/src/wma_utils.c

@@ -1311,7 +1311,7 @@ static int wma_unified_link_peer_stats_event_handler(void *handle,
 	} while (0);
 
 	if (excess_data ||
-		(sizeof(*fixed_param) > WMI_SVC_MSG_MAX_SIZE - buf_len)) {
+	    (buf_len > WMI_SVC_MSG_MAX_SIZE - sizeof(*fixed_param))) {
 		WMA_LOGE("excess wmi buffer: rates:%d, peers:%d",
 			peer_stats->num_rates, fixed_param->num_peers);
 		return -EINVAL;