qcacld-3.0: Fix potential OOB read in lim_cu_info_from_rnr_per_link_id

Currently while fetching the cu info from rnr, data length is checked only
for max rnr element which leads to possible out-of-bound reads with
invalid information elements.

Add fix to update the data length checks in the while loop to ensure
sufficient bytes are there.

CRs-Fixed: 3754687
Change-Id: I93f2fbc21fc5adfd848ebb27264cc18f7f553438

core/mac/src/pe/lim/lim_mlo.c

@@ -51,7 +51,7 @@ QDF_STATUS lim_cu_info_from_rnr_per_link_id(const uint8_t *rnr,
 
 	rnr_end = rnr + rnr[TAG_LEN_POS] + MIN_IE_LEN;
 	data = rnr + PAYLOAD_START_POS;
-	while (data < rnr_end) {
+	while ((data + sizeof(struct neighbor_ap_info_field)) <= rnr_end) {
 		neighbor_ap_info = (struct neighbor_ap_info_field *)data;
 		tbtt_count = neighbor_ap_info->tbtt_header.tbtt_info_count;
 		tbtt_len = neighbor_ap_info->tbtt_header.tbtt_info_length;