qcacld-3.0: Check for max number of num_dscp_exceptions in QOS map set

qcacld-2.0 to qcacld-3.0 propagation

In convert_qos_mapset_frame, dscp_exceptions is max of 21 size but
there is no limit check for num_dscp_exceptions.
Check for max size for num_dscp_exceptions.

Change-Id: Id098da5231b4f3e40abe369e52960859091dc200
CRs-Fixed: 931435

core/mac/inc/sir_api.h

@@ -108,7 +108,10 @@ typedef uint8_t tSirVersionString[SIR_VERSION_STRING_LEN];
 #define MAX_VDEV_SUPPORTED                        4
 
 #define MAX_POWER_DBG_ARGS_SUPPORTED 8
-
+#define QOS_MAP_MAX_EX  21
+#define QOS_MAP_LEN_MIN 16
+#define QOS_MAP_LEN_MAX \
+	(QOS_MAP_LEN_MIN + 2 * QOS_MAP_MAX_EX)
 #define NUM_CHAINS_MAX  2
 
 /**

core/mac/src/sys/legacy/src/utils/src/utils_parser.c

@@ -712,7 +712,11 @@ void convert_qos_mapset_frame(tpAniSirGlobal pMac, tSirQosMapSet *Qos,
 
 	qos_dscp_sz = (sizeof(Qos->dscp_exceptions)/2);
 	dot11_dscp_sz = sizeof(dot11fIE->dscp_exceptions);
-	Qos->num_dscp_exceptions = (dot11fIE->num_dscp_exceptions - 16) / 2;
+	if (dot11fIE->num_dscp_exceptions > QOS_MAP_LEN_MAX)
+		dot11fIE->num_dscp_exceptions = QOS_MAP_LEN_MAX;
+	Qos->num_dscp_exceptions =
+		(dot11fIE->num_dscp_exceptions - QOS_MAP_LEN_MIN) / 2;
+
 	for (i = 0;
 			i < Qos->num_dscp_exceptions &&
 			i < qos_dscp_sz && j < dot11_dscp_sz;