Heap-buffer-overflow in send_nl_data() of wifi hal

In send_nl_data() function, the size of ctrl_msg can
be greater than size of nl_msg structure. This can
cause buffer overload due to out-of bound write in
nl_msg->nm_nlh. Added a check for length of ctrl_msg
to avoid the out-of-bound write.

Bug: 149836664
Test: Manual - Basic wifi sanity test
CRs-Fixed: 2605058
Change-Id: I73032dac6ce2f2e9ee7ede18b45b11a2b3f92053
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp
index cb82885..cb770ee 100644
--- a/qcwcn/wifi_hal/wifi_hal.cpp
+++ b/qcwcn/wifi_hal/wifi_hal.cpp
@@ -1112,6 +1112,12 @@
        goto nl_out;
     }
 
+    if (ctrl_msg->data_len > nlmsg_get_max_size(msg))
+    {
+        ALOGE("%s: Invalid ctrl msg length \n", __FUNCTION__);
+        retval = -1;
+        goto nl_out;
+    }
     memcpy((char *)msg->nm_nlh, (char *)ctrl_msg->data, ctrl_msg->data_len);
 
    if(ctrl_msg->family_name == GENERIC_NL_FAMILY)