qcacld-3.0: Avoid potential buffer over-flow in cfg80211 scan

In __wlan_hdd_cfg80211_scan(), while copying ie data from
cfg80211_scan_request to local destination buffer, there is no check of
ie_len against maximum possible length of SIR_MAC_MAX_ADD_IE_LENGTH (2048).
This can result in buffer over-flow.

To address this, validate ie_len in cfg80211_scan_request.

Change-Id: I5da837395869704666762fdf57293d9561d3ad83
CRs-Fixed: 2247604

core/hdd/src/wlan_hdd_scan.c

@@ -575,6 +575,11 @@ static int __wlan_hdd_cfg80211_scan(struct wiphy *wiphy,
 	params.default_ie.len = 0;
 	/* Store the Scan IE's in Adapter*/
 	if (request->ie_len) {
+		if (request->ie_len > SIR_MAC_MAX_ADD_IE_LENGTH) {
+			hdd_debug("Invalid ie_len: %zu", request->ie_len);
+			return -EINVAL;
+		}
+
 		/* save this for future association (join requires this) */
 		memset(&scan_info->scan_add_ie, 0, sizeof(scan_info->scan_add_ie));
 		memcpy(scan_info->scan_add_ie.addIEdata, request->ie,