qcacld-3.0: Possble OOB access in hdd_set_limit_off_chan_for_tos()

Currently, in __wlan_hdd_cfg80211_set_limit_offchan_param() function after
parsing the 'tos' value from incoming netlink buffer there is no check
against the max value of tos. This tos value is passsed as an argument
to hdd_set_limit_off_chan_for_tos() function where it is using as an array
index for 'limit_off_chan_tbl' variable which is limited to HDD_MAX_AC.
This may cause out of bound access.

Add check to ensure the parsed tos value is not greater than
or equals to its max value.

Change-Id: I661af1f9559d9bec627594d119423be97978ac2c
CRs-Fixed: 2222803

core/hdd/src/wlan_hdd_cfg80211.c

@@ -13784,6 +13784,11 @@ static int __wlan_hdd_cfg80211_set_limit_offchan_param(struct wiphy *wiphy,
 	}
 
 	tos = nla_get_u8(tb[QCA_WLAN_VENDOR_ATTR_ACTIVE_TOS]);
+	if (tos >= HDD_MAX_AC) {
+		hdd_err("tos value %d exceeded Max value %d",
+			tos, HDD_MAX_AC);
+		goto fail;
+	}
 	hdd_debug("tos %d", tos);
 
 	if (!tb[QCA_WLAN_VENDOR_ATTR_ACTIVE_TOS_START]) {