qcacmn: Add bound check for num_per_chain_rssi_stats

Add bound check rssi_event->num_per_chain_rssi_stats in
extract_all_stats_counts_tlv().

ev->num_chain_rssi_stats in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
is derived from rssi_event->num_per_chain_rssi_stats
and is used as limit in for loop.

As length was never checked multiple qdf_mem_copy calls in
wmi_extract_per_chain_rssi_stats() used in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
will result in an OOB issue.

Change-Id: I204744e1435e687e33f2165744a92cdb8b975a51
CRs-Fixed: 2322298

wmi/src/wmi_unified_tlv.c

@@ -19085,6 +19085,12 @@ static QDF_STATUS extract_all_stats_counts_tlv(wmi_unified_t wmi_handle,
 	    WMITLV_GET_TLVLEN(rssi_event->tlv_header))
 		return QDF_STATUS_SUCCESS;
 
+	if (rssi_event->num_per_chain_rssi_stats >=
+	    WMITLV_GET_TLVLEN(rssi_event->tlv_header)) {
+		WMI_LOGE("num_per_chain_rssi_stats:%u is out of bounds",
+			 rssi_event->num_per_chain_rssi_stats);
+		return QDF_STATUS_E_INVAL;
+	}
 	stats_param->num_rssi_stats = rssi_event->num_per_chain_rssi_stats;
 
 	return QDF_STATUS_SUCCESS;