qcacld-3.0: Fix integer underflow in assoc response frame

In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024

core/mac/src/pe/lim/lim_process_fils.c

@@ -2366,6 +2366,11 @@ QDF_STATUS aead_decrypt_assoc_rsp(struct mac_context *mac_ctx,
 	uint8_t *fils_ies;
 	struct pe_fils_session *fils_info = session->fils_info;
 
+	if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) {
+		pe_debug("payload len is less than ASSOC RES offset");
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame +
 					      FIXED_PARAM_OFFSET_ASSOC_RSP,
 					      ((*n_frame) -