wlan: Fix out-of-bounds access in limProcessActionFrameNoSession

Currently in the function limProcessActionFrameNoSession, mem_cmp
is done on the received frame pointer without validating the frame_len
which could lead to out-of-bounds memory access if the frame_len is
not matching the size of action_hdr.

Add check to validate the frame_len with action_hdr size before doing
mem_cmp for the p2p oui.

Change-Id: I39329d1a9ef45614d3c617db11a7a7f5ec2aaaec
CRs-Fixed: 2110756
diff --git a/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/CORE/MAC/src/pe/lim/limProcessActionFrame.c
index 387e32e..5133ead 100644
--- a/CORE/MAC/src/pe/lim/limProcessActionFrame.c
+++ b/CORE/MAC/src/pe/lim/limProcessActionFrame.c
@@ -2614,6 +2614,16 @@
             {
               tpSirMacVendorSpecificPublicActionFrameHdr pPubAction = (tpSirMacVendorSpecificPublicActionFrameHdr) pActionHdr;
               tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 };
+	      tANI_U32 frameLen;
+
+	      frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+
+	      if (frameLen < sizeof(pActionHdr)) {
+			limLog(pMac, LOG1,
+				FL("Received action frame of invalid len %d"),
+				frameLen);
+			break;
+	      }
 
               //Check if it is a P2P public action frame.
               if (vos_mem_compare(pPubAction->Oui, P2POui, 4))
@@ -2752,6 +2762,16 @@
             case SIR_MAC_ACTION_VENDOR_SPECIFIC:
               {
                 tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 };
+		tANI_U32 frameLen;
+
+		frameLen = WDA_GET_RX_PAYLOAD_LEN(pBd);
+
+		if (frameLen < sizeof(pActionHdr)) {
+			limLog(pMac, LOG1,
+				FL("Received action frame of invalid len %d"),
+				frameLen);
+			break;
+		}
 
                 //Check if it is a P2P public action frame.
                 if (vos_mem_compare(pActionHdr->Oui, P2POui, 4))