qcacld-3.0: Fix array out-of-bounds & integer underflow in _iw_set_genie

This is a qcacld-2.0 to qcacld-3.0 propagation

'wrqu->data.length' holds the total number of IE data buffer.
Add a check to make sure the number of remaining data to be read is
greater than or equal to IE length.

Also, advance the buffer pointer to point to the next element only
if next element is present.

Change-Id: Ic60f3e0650f365955dab4099eb8740e9789e00cc
CRs-Fixed: 1100132

core/hdd/src/wlan_hdd_wext.c

@@ -5246,6 +5246,13 @@ static int __iw_set_genie(struct net_device *dev,
 
 		hdd_debug("IE[0x%X], LEN[%d]", elementId, eLen);
 
+		if (remLen < eLen) {
+			hdd_err("Remaining len: %u less than ie len: %u",
+				remLen, eLen);
+			ret = -EINVAL;
+			goto exit;
+		}
+
 		switch (elementId) {
 		case IE_EID_VENDOR:
 			/* should have at least OUI */
@@ -5334,8 +5341,11 @@ static int __iw_set_genie(struct net_device *dev,
 			hdd_err("Set UNKNOWN IE %X", elementId);
 			goto exit;
 		}
-		genie += eLen;
 		remLen -= eLen;
+
+		/* Move genie only if next element is present */
+		if (remLen >= 2)
+			genie += eLen;
 	}
 exit:
 	EXIT();