qcacld-3.0: Avoid OOB read in sch_get_csa_ecsa_count_offset

Avoid OOB read in sch_get_csa_ecsa_count_offset API by
adding check for ie_len before subtracting element ID len
from it.

Change-Id: Id86e69b2c5abc37a4f33125dc5fd0bd1d92f64a7
CRs-Fixed: 3049251

core/mac/src/pe/sch/sch_beacon_gen.c

@@ -50,7 +50,7 @@ const uint8_t p2p_oui[] = { 0x50, 0x6F, 0x9A, 0x9 };
 
 /**
  * sch_get_csa_ecsa_count_offset() - get the offset of Switch count field
- * @ie: pointer to the beggining of IEs in the beacon frame buffer
+ * @ie: pointer to the beginning of IEs in the beacon frame buffer
  * @ie_len: length of the IEs in the buffer
  * @csa_count_offset: pointer to the csa_count_offset variable in the caller
  * @ecsa_count_offset: pointer to the ecsa_count_offset variable in the caller
@@ -89,6 +89,9 @@ static void sch_get_csa_ecsa_count_offset(const uint8_t *ie, uint32_t ie_len,
 			*ecsa_count_offset = offset +
 					SCH_ECSA_SWITCH_COUNT_OFFSET;
 
+		if (ie_len < elem_len)
+			return;
+
 		ie_len -= elem_len;
 		offset += elem_len;
 		ptr += (elem_len + 2);