qcacmn: Fix out-of-bounds of src_freq

the number of channels scanned for each roam trigger is fetched from
wmi_roam_scan_info TLV (wmi_roam_scan_info->roam_scan_channel_count),
The total number of channels for all the roam triggers is fetched from

chan_idx is the index used to fetch the current channel info TLV to be
read. So if wmi_roam_scan_info->roam_scan_channel_count provided by
firmware exceeds the total param_buf->num_roam_scan_chan_info starting
from given chan_idx then OOB access of event buffer can happen.

To avoid this, validate the sum of the current chan_idx and
src_data->roam_scan_channel_count against

Bug: 280447263
Test: Regression Test
Change-Id: Ied94464d1f12690cf8832962b94595c2e00c33f8
CRs-Fixed: 3357714
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
1 file changed