qcacld-3.0: Check channel_count in DCC_GET_STATS command

Invalid channel_count may be sent to driver with
QCA_NL80211_VENDOR_SUBCMD_DCC_GET_STATS vendor command, and may also
pass the sanity check with get_stats_param->request_array_len as
integer overflow, in send_dcc_get_stats_cmd_tlv().
Then it will finally lead to heap overflow when initializing
TLV header for each channel.

Change-Id: I1d81b5fc4de80829433f2a0ab41c964c41f750c3
CRs-Fixed: 2300516

core/hdd/src/wlan_hdd_ocb.c

@@ -1655,6 +1655,12 @@ static int __wlan_hdd_cfg80211_dcc_get_stats(struct wiphy *wiphy,
 	request_array = nla_data(
 		tb[QCA_WLAN_VENDOR_ATTR_DCC_GET_STATS_REQUEST_ARRAY]);
 
+	/* Check channel count. Per 11p spec, max 2 channels allowed */
+	if (!channel_count || channel_count > CFG_TGT_NUM_OCB_CHANNELS) {
+		hdd_err("Invalid channel_count %d", channel_count);
+		return -EINVAL;
+	}
+
 	request = osif_request_alloc(&params);
 	if (!request) {
 		hdd_err("Request allocation failure");