qcacld-2.0: Fix potential buffer overflow htt_t2h_msg_handler

Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.

To address this issue add check for the array size in the
ol_rx_delba_handler & ol_rx_pn_ind_handler.

Change-Id: I39e5d9c5315a2bf9f34a65651025a1d8fc919c28
CRs-Fixed: 2178818

drivers/net/wireless/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_rx_reorder.c

@@ -549,6 +549,13 @@ ol_rx_delba_handler(
     struct ol_txrx_peer_t *peer;
     struct ol_rx_reorder_t *rx_reorder;
 
+    if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+        TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+                "%s:  invalid tid, %u\n", __func__, tid);
+        WARN_ON(1);
+        return;
+    }
+
     peer = ol_txrx_peer_find_by_id(pdev, peer_id);
     if (peer == NULL) {
         return;
@@ -654,6 +661,13 @@ ol_rx_pn_ind_handler(
     u_int16_t seq_num;
     int i=0;
 
+    if (tid >= OL_TXRX_NUM_EXT_TIDS) {
+        TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+                "%s:  invalid tid, %u\n", __func__, tid);
+        WARN_ON(1);
+        return;
+    }
+
     peer = ol_txrx_peer_find_by_id(pdev, peer_id);
 
     if (!peer) {