qcacmn: Update validation before accessing neighbor_ap_info_field data

Don't fetch TBTT info if data + neighbor_ap_info_field is <=
ie + rnr_ie_len + 2 instead of < ie + rnr_ie_len + 2.
Only less than validation may lead to extra iteration and
wrong rnr data.

CRs-Fixed: 3787446
Change-Id: I9dbaa066dd09f6c9ddfb3e400d95e009313cd54d

umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -1158,7 +1158,7 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
 	data = (uint8_t *)ie + sizeof(struct ie_header);
 	idx = scan_entry->rnr.count;
 
-	while ((data + sizeof(struct neighbor_ap_info_field)) <
+	while ((data + sizeof(struct neighbor_ap_info_field)) <=
 					((uint8_t *)ie + rnr_ie_len + 2)) {
 		neighbor_ap_info = (struct neighbor_ap_info_field *)data;
 		tbtt_count = neighbor_ap_info->tbtt_header.tbtt_info_count;
@@ -1174,7 +1174,7 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
 			break;
 
 		for (i = 0; i < (tbtt_count + 1) &&
-		     (data + tbtt_length) <
+		     (data + tbtt_length) <=
 				((uint8_t *)ie + rnr_ie_len + 2); i++) {
 			if ((i < MAX_RNR_BSS) && (idx < MAX_RNR_BSS))
 				util_scan_update_rnr(
@@ -2907,7 +2907,7 @@ static int util_handle_rnr_ie_for_mbssid(const uint8_t *rnr,
 	pos += MIN_IE_LEN;
 
 	data = rnr + PAYLOAD_START_POS;
-	while (data + sizeof(struct neighbor_ap_info_field) < rnr_end) {
+	while (data + sizeof(struct neighbor_ap_info_field) <= rnr_end) {
 		neighbor_ap_info = (struct neighbor_ap_info_field *)data;
 		tbtt_count = neighbor_ap_info->tbtt_header.tbtt_info_count;
 		tbtt_len = neighbor_ap_info->tbtt_header.tbtt_info_length;