qcacmn: Fix OOB issue for bwnss oui

If is_bwnss_oui return true in util_scan_parse_vendor_ie,
and it will run into below logical:
scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8)
But in fact if ie->ie_len < 6, it will casue read out
of boundary issue. So add the length chekcing before
reading it

Change-Id: I0cdf723154eb808f8062efd897f9d67d54d4573b
CRs-Fixed: 2838849

umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h

@@ -1831,6 +1831,8 @@ is_bwnss_oui(uint8_t *frm)
 		((ATH_OUI_BW_NSS_MAP_TYPE << 24) | ATH_OUI));
 }
 
+#define WLAN_BWNSS_MAP_OFFSET 6
+
 /**
  * is_he_cap_oui() - If vendor IE is HE CAP OUI
  * @frm: vendor IE pointer

umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -866,7 +866,8 @@ util_scan_parse_vendor_ie(struct scan_cache_entry *scan_params,
 		 * Bandwidth-NSS map has sub-type & version.
 		 * hence copy data just after version byte
 		 */
-		scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8);
+		if (ie->ie_len > WLAN_BWNSS_MAP_OFFSET)
+			scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8);
 	} else if (is_mbo_oce_oui((uint8_t *)ie)) {
 		scan_params->ie_list.mbo_oce = (uint8_t *)ie;
 	} else if (is_extender_oui((uint8_t *)ie)) {