qcacmn: Fix possible OOB in target_if_direct_buf_rx_rsp_event_handler

The function target_if_direct_buf_rx_rsp_event_handler() handles
the WMI_PDEV_DMA_RING_BUF_RELEASE_EVENTID event from target.
This function calls extract_dbr_buf_release_fixed_tlv() to copy
the module id, pdev id number of buffer release entry and number
of meta data release entries. The value of module id is used to
index the array dbr_mod_param to get the value of mod_param.
So if the module id value greater than dbr_pdev_obj->num_modules
could result in possible OOB.

Validate mod_id received in the fixed param of the event
WMI_PDEV_DMA_RING_BUF_RELEASE_EVENTID against
dbr_pdev_obj->num_modules.

Change-Id: I1c2c0a2a9c98d8b787496aba7a7c4f8fd781de16
CRs-Fixed: 2428798

target_if/direct_buf_rx/src/target_if_direct_buf_rx_main.c

@@ -961,6 +961,11 @@ static int target_if_direct_buf_rx_rsp_event_handler(ol_scn_t scn,
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	if (dbr_rsp.mod_id >= dbr_pdev_obj->num_modules) {
+		direct_buf_rx_err("Invalid module id:%d", dbr_rsp.mod_id);
+		wlan_objmgr_pdev_release_ref(pdev, dbr_mod_id);
+		return QDF_STATUS_E_FAILURE;
+	}
 	mod_param = &(dbr_pdev_obj->dbr_mod_param[dbr_rsp.mod_id]);
 
 	if (!mod_param) {