qcacmn: Fix possible OOB read/writes in ML probe generation

Fix the OOB read/writes util_add_mlie_for_prb_rsp_gen() when
the common info length is higher than the ML IE inside which
the common info is encoded.

Change-Id: I07e9ad748404c6252924996aae57aba0f18e2f7d
CRs-Fixed: 3700072

umac/mlo_mgr/src/utils_mlo.c

@@ -1584,8 +1584,12 @@ util_add_mlie_for_prb_rsp_gen(const uint8_t *reportingsta_ie,
 	status = util_get_mlie_common_info_len((uint8_t *)reportingsta_ie,
 					       reportingsta_ie_len,
 					       &common_info_len);
-	if (QDF_IS_STATUS_ERROR(status)) {
-		mlo_err("Failed while parsing the common info length");
+	if (QDF_IS_STATUS_ERROR(status) ||
+	    common_info_len > reportingsta_ie_len ||
+	    (reportingsta_ie_len - common_info_len <
+	     sizeof(struct wlan_ie_multilink))) {
+		mlo_err("Failed to parse common info, mlie len %d common info len %d",
+			reportingsta_ie_len, common_info_len);
 		return status;
 	}
 
@@ -1638,9 +1642,9 @@ util_add_mlie_for_prb_rsp_gen(const uint8_t *reportingsta_ie,
 		     reportingsta_ie + sizeof(struct wlan_ie_multilink),
 		     mlie_len - sizeof(struct wlan_ie_multilink));
 
-	if (linkid == 0xFF) {
+	if (linkid == 0xFF || mlie_len <= link_id_offset) {
 		qdf_mem_free(mlie_frame);
-		mlo_err("Link id is invalid");
+		mlo_err("Failed to process link id, link_id %d", linkid);
 		return QDF_STATUS_E_INVAL;
 	}
 	mlie_frame[link_id_offset] = (mlie_frame[link_id_offset] & ~0x0f) |