qcacmn: Fix out of bound read issue in util_scan_parse_rnr_ie()

During ie parse from beacon/probe response, the variable
tbtt_count and tbtt_length in util_scan_parse_rnr_ie() getting
read from ie and the value is not checked before using it which
may cause out of bound read issue

Validate tbtt_count and tbtt_length before using it

Change-Id: I51cfb2356fb16feda8a70c4b76c7f76c90b1393b
CRs-Fixed: 2836205

umac/scan/dispatcher/inc/wlan_scan_public_structs.h

@@ -58,6 +58,8 @@ typedef uint32_t wlan_scan_id;
 #define PROBE_REQ_BITMAP_LEN 8
 #define MAX_PROBE_REQ_OUIS 16
 
+#define TBTT_INFO_COUNT 16
+
 /* forward declaration */
 struct wlan_objmgr_vdev;
 struct wlan_objmgr_pdev;

umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -736,7 +736,12 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
 		scm_debug("tbtt_count %d, tbtt_length %d, fieldtype %d",
 			  tbtt_count, tbtt_length, fieldtype);
 		data += sizeof(struct neighbor_ap_info_field);
-		for (i = 0; i < (tbtt_count + 1) ; i++) {
+
+		if (tbtt_count > TBTT_INFO_COUNT)
+			break;
+
+		for (i = 0; i < (tbtt_count + 1) &&
+		     data < ((uint8_t *)ie + rnr_ie_len + 2); i++) {
 			if (i < MAX_RNR_BSS)
 				util_scan_update_rnr(
 					&scan_entry->rnr.bss_info[i],