qcacld-3.0: Possible buffer overwrite in vendor scan request

In api "__wlan_hdd_cfg80211_vendor_scan", the ssid length is u8,
when memcpy is done for ssid, the length is not validated and
nla_len(attr) is used directly in memcpy which can result in buffer
overwrite.

Add a check to validate the max length of scan ssid against
SIR_MAC_MAX_SSID_LENGTH.

Change-Id: If4c25710973ee50094c5d52410269962f552ac3f
CRs-Fixed: 2153326

core/hdd/src/wlan_hdd_scan.c

@@ -1030,17 +1030,20 @@ static int __wlan_hdd_cfg80211_vendor_scan(struct wiphy *wiphy,
 	request->n_channels = count;
 	count = 0;
 	if (tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS]) {
+		int ssid_length;
 		nla_for_each_nested(attr, tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS],
 				tmp) {
-			request->ssids[count].ssid_len = nla_len(attr);
-			if (request->ssids[count].ssid_len >
-				SIR_MAC_MAX_SSID_LENGTH) {
+			ssid_length = nla_len(attr);
+			if ((ssid_length > SIR_MAC_MAX_SSID_LENGTH) ||
+			    (ssid_length < 0)) {
 				hdd_err("SSID Len %d is not correct for network %d",
-					 request->ssids[count].ssid_len, count);
+					 ssid_length, count);
 				goto error;
 			}
+
+			request->ssids[count].ssid_len = ssid_length;
 			memcpy(request->ssids[count].ssid, nla_data(attr),
-					nla_len(attr));
+					ssid_length);
 			count++;
 		}
 	}