qcacmn: Fix out of bound read issue in ESP ie parse

While parsing ESP IE from beacon/probe response frame,
the condition in loop to copy ESP_INFO from the ESP IE is
incorrect which will iterate for 5 times rather than 4 times,
this may cause OOB access.

data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3)
Here adding 3 for esp_ie->esp_len, actually esp_len itself is
1 byte extra (esp_ len = ESP_ID_EXTN + ESP_INFO * 4),
but by adding 3 again will loop for one more iteration
this will cause OOB access.

Remove 3 in loop condition to avoid one more extra iteration
and ignore ESP_ID_EXTN element for total elements, in function
util_scan_update_esp_data.

Change-Id: Ia9226e483672369af36c6914e3ac914fe9de45e5
CRs-Fixed: 3710081

umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -1740,7 +1740,8 @@ static void util_scan_update_esp_data(struct wlan_esp_ie *esp_information,
 	esp_ie = (struct wlan_esp_ie *)
 		util_scan_entry_esp_info(scan_entry);
 
-	total_elements  = esp_ie->esp_len;
+	// Ignore ESP_ID_EXTN element
+	total_elements  = esp_ie->esp_len - 1;
 	data = (uint8_t *)esp_ie + 3;
 	do_div(total_elements, ESP_INFORMATION_LIST_LENGTH);
 
@@ -1750,7 +1751,7 @@ static void util_scan_update_esp_data(struct wlan_esp_ie *esp_information,
 	}
 
 	for (i = 0; i < total_elements &&
-	     data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3); i++) {
+	     data < ((uint8_t *)esp_ie + esp_ie->esp_len); i++) {
 		esp_info = (struct wlan_esp_info *)data;
 		if (esp_info->access_category == ESP_AC_BK) {
 			qdf_mem_copy(&esp_information->esp_info_AC_BK,