qcacmn: Fix possible OOB read in extract_mac_phy_cap_service_ready_ext_tlv

In extract_mac_phy_cap_service_ready_ext() the field num_hw_modes
of hw_caps is used as loop bounds and may be attacked.

hw_mode_caps is a pointer defined by firmware. The exact array
length cannot be got since hw_mode_caps pointing array length
is variable. Fix is to add check for field num_hw_modes of hw_caps.

Change-Id: Ie234db3f2356186a4e7aac121ec88dd7e6453efd
CRs-Fixed: 2387221

wmi/src/wmi_unified_tlv.c

@@ -9217,7 +9217,6 @@ static QDF_STATUS extract_mac_phy_cap_service_ready_ext_tlv(
 			uint8_t *event, uint8_t hw_mode_id, uint8_t phy_id,
 			struct wlan_psoc_host_mac_phy_caps *param)
 {
-#define MAX_NUM_HW_MODES 24
 	WMI_SERVICE_READY_EXT_EVENTID_param_tlvs *param_buf;
 	WMI_MAC_PHY_CAPABILITIES *mac_phy_caps;
 	WMI_SOC_MAC_PHY_HW_MODE_CAPS *hw_caps;
@@ -9231,11 +9230,10 @@ static QDF_STATUS extract_mac_phy_cap_service_ready_ext_tlv(
 	hw_caps = param_buf->soc_hw_mode_caps;
 	if (!hw_caps)
 		return QDF_STATUS_E_INVAL;
-	/**
-	 * The max number of hw modes is 24 including 11ax.
-	 */
-	if (hw_caps->num_hw_modes > MAX_NUM_HW_MODES) {
-		wmi_err_rl("invalid num_hw_modes %d", hw_caps->num_hw_modes);
+	if (hw_caps->num_hw_modes > PSOC_MAX_HW_MODE ||
+	    hw_caps->num_hw_modes > param_buf->num_hw_mode_caps) {
+		wmi_err_rl("invalid num_hw_modes %d, num_hw_mode_caps %d",
+			   hw_caps->num_hw_modes, param_buf->num_hw_mode_caps);
 		return QDF_STATUS_E_INVAL;
 	}