qcacld-3.0: Add bound check before writing to channel list

In function rrm_process_beacon_report_req, add bound check before
writing to channel list which is of fixed size.

Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
CRs-Fixed: 2060138

core/mac/src/pe/rrm/rrm_api.c

@@ -632,23 +632,25 @@ rrm_process_beacon_report_req(tpAniSirGlobal pMac,
 
 	pSmeBcnReportReq->channelList.numChannels = num_channels;
 	if (pBeaconReq->measurement_request.Beacon.num_APChannelReport) {
-		uint8_t *pChanList =
-			pSmeBcnReportReq->channelList.channelNumber;
+		uint8_t *ch_lst = pSmeBcnReportReq->channelList.channelNumber;
+		uint8_t len;
+		uint16_t ch_ctr = 0;
 		for (num_APChanReport = 0;
 		     num_APChanReport <
 		     pBeaconReq->measurement_request.Beacon.num_APChannelReport;
 		     num_APChanReport++) {
-			qdf_mem_copy(pChanList,
-				     pBeaconReq->measurement_request.Beacon.
-				     APChannelReport[num_APChanReport].
-				     channelList,
+			len = pBeaconReq->measurement_request.Beacon.
+			    APChannelReport[num_APChanReport].num_channelList;
+			if (ch_ctr + len >
+			   sizeof(pSmeBcnReportReq->channelList.channelNumber))
+				break;
+
+			qdf_mem_copy(&ch_lst[ch_ctr],
 				     pBeaconReq->measurement_request.Beacon.
 				     APChannelReport[num_APChanReport].
-				     num_channelList);
+				     channelList, len);
 
-			pChanList +=
-				pBeaconReq->measurement_request.Beacon.
-				APChannelReport[num_APChanReport].num_channelList;
+			ch_ctr += len;
 		}
 	}
 	/* Send request to SME. */