qcacld-2.0: Fix potential buffer overflow htt_t2h_msg_handler

Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.

To address this issue add check for the array size.

Change-Id: I9fae424d19ce5e886d385071863cbfca9633dd84
CRs-Fixed: 2178818
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
index a51eb75..29fc139 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_defrag.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2014, 2016-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2014, 2016-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -490,6 +490,12 @@
         }
 
         tid = rx_reorder->tid;
+        if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+            TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+                    "%s:  invalid tid, %u\n", __func__, tid);
+            WARN_ON(1);
+            continue;
+        }
         /* get index 0 of the rx_reorder array */
         rx_reorder_base = rx_reorder - tid;
         peer = container_of(rx_reorder_base, struct ol_txrx_peer_t, tids_rx_reorder[0]);
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
index c7bffde..bc3dc58 100644
--- a/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
+++ b/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -556,6 +556,13 @@
     struct ol_txrx_peer_t *peer;
     struct ol_rx_reorder_t *rx_reorder;
 
+    if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+        TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+                "%s:  invalid tid, %u\n", __func__, tid);
+        WARN_ON(1);
+        return;
+    }
+
     peer = ol_txrx_peer_find_by_id(pdev, peer_id);
     if (peer == NULL) {
         return;