qcacmn: Validate next_ie length in util_get_successorfrag()

Currently, in wlan_defrag_elemsubelem_fragseq() API,
there is possible buffer over-read in fragbuff buffer.
Buffer may have a malicious length larger than their
payload size, which leads to a buffer over-read during
defragmentation.

Fix is to validate the fragment length against the buffer
boundary in util_get_successorfrag().

Change-Id: Ia9e688a0ab17954eb464ec586820bb95b51f12d1
CRs-Fixed: 3236560

umac/mlo_mgr/src/utils_mlo.c

@@ -727,6 +727,11 @@ uint8_t *util_get_successorfrag(uint8_t *currie, uint8_t *frame, qdf_size_t len)
 
 	nextie = currie + currie[TAG_LEN_POS] + MIN_IE_LEN;
 
+	/* Check whether there is sufficient space in the frame for the next IE
+	 */
+	if ((nextie + MIN_IE_LEN + nextie[TAG_LEN_POS]) > (frame + len))
+		return NULL;
+
 	if (nextie[ID_POS] != WLAN_ELEMID_FRAGMENT)
 		return NULL;