qcacmn: Fix out-of-bounds read in extract_ndp_confirm_tlv

Update handling of WMI_NDP_CONFIRM_EVENTID for possible out of
bounds read when fixed_params->num_ndp_channels is greater than
TLV length of NDP channel list or NSS list

Change-Id: I3bf429a47c46edbb464cf8447f227f7baa74fbe3
CRs-fixed: 2325849

wmi/src/wmi_unified_tlv.c

@@ -15242,6 +15242,14 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
 			 __func__, fixed_params->ndp_app_info_len);
 		return QDF_STATUS_E_INVAL;
 	}
+	if (fixed_params->num_ndp_channels > event->num_ndp_channel_list ||
+	    fixed_params->num_ndp_channels > event->num_nss_list) {
+		WMI_LOGE(FL("NDP Ch count %d greater than NDP Ch TLV len (%d) or NSS TLV len (%d)"),
+			 fixed_params->num_ndp_channels,
+			 event->num_ndp_channel_list,
+			 event->num_nss_list);
+		return QDF_STATUS_E_INVAL;
+	}
 
 	rsp->vdev =
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,