qcacmn: Add check for buffer overflow and null pointer dereference

There is a chance for null pointer dereference for
num_eht_user_info_valid and array out of bounds for eht_user_info.

Add checks for both the cases as it may cause crash.

Change-Id: Icb5235612a1225b9991c99519b5ee49536c577bc
CRs-Fixed: 3426873

qdf/inc/qdf_nbuf.h

@@ -242,6 +242,8 @@ enum wsc_op_code {
 #define MAX_CHAIN 8
 #define QDF_MON_STATUS_MPDU_FCS_BMAP_NWORDS 8
 
+#define EHT_USER_INFO_LEN 4
+
 /**
  * typedef qdf_nbuf_queue_t - Platform independent packet queue abstraction
  */
@@ -512,7 +514,7 @@ struct mon_rx_status {
 	uint32_t usig_mask;
 	uint32_t eht_known;
 	uint32_t eht_data[6];
-	uint32_t eht_user_info[4];
+	uint32_t eht_user_info[EHT_USER_INFO_LEN];
 #ifdef QCA_UNDECODED_METADATA_SUPPORT
 	uint32_t phyrx_abort:1,
 		 phyrx_abort_reason:8,

qdf/linux/src/qdf_nbuf.c

@@ -5120,7 +5120,9 @@ qdf_nbuf_update_radiotap_eht_flags(struct mon_rx_status *rx_status,
 	put_unaligned_le32(rx_status->eht_data[5], &rtap_buf[rtap_len]);
 	rtap_len += 4;
 
-	for (user = 0; user < rx_status->num_eht_user_info_valid; user++) {
+	for (user = 0; user < EHT_USER_INFO_LEN &&
+	     rx_status->num_eht_user_info_valid &&
+	     user < rx_status->num_eht_user_info_valid; user++) {
 		put_unaligned_le32(rx_status->eht_user_info[user],
 				   &rtap_buf[rtap_len]);
 		rtap_len += 4;