qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()

If the tag length in next_elem is some invalid high value then the
existing length check can still pass and lead to the OOB access.

Add an OOB check w.r.t total IE length to ensure it has the
minimum number of bytes in the buffer.

Change-Id: I9778a3e0ced05d3246d91e23c2a47f7318634d75
CRs-Fixed: 3717566

umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -3347,6 +3347,9 @@ static bool util_scan_is_split_prof_found(uint8_t *next_elem,
 {
 	uint8_t *next_mbssid_elem;
 
+	if ((next_elem + MIN_IE_LEN + VALID_ELEM_LEAST_LEN) > (ie + ielen))
+		return false;
+
 	if (next_elem[0] == WLAN_ELEMID_MULTIPLE_BSSID) {
 		if ((next_elem[TAG_LEN_POS] >= VALID_ELEM_LEAST_LEN) &&
 		    (next_elem[SUBELEM_DATA_POS_FROM_MBSSID] !=