qcacmn: OOB while accessing ML IE

Currently, in function "util_get_ml_bv_partner_link_info" driver
access the ML IE memory with offset which is calculated from ML IE
length and increment this offset with other values (such as
perstaprof_stainfo_len). But this can lead to OOB for ML IE when
this offset value is increment beyond ML IE length.

So, to fix this, add check for offset before accessing ML IE.

Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8
CRs-Fixed: 3710085

umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -2293,8 +2293,11 @@ util_get_ml_bv_partner_link_info(struct wlan_objmgr_pdev *pdev,
 	}
 
 	scan_entry->ml_info.num_links = link_idx;
-	if (!offset)
+	if (!offset ||
+	    (offset + sizeof(struct wlan_ml_bv_linfo_perstaprof) >= ml_ie_len)) {
+		scm_err_rl("incorrect offset value %d", offset);
 		return;
+	}
 
 	/* TODO: loop through all the STA info fields */
 
@@ -2338,6 +2341,10 @@ util_get_ml_bv_partner_link_info(struct wlan_objmgr_pdev *pdev,
 
 		/* Skip STA Info Length field */
 		offset += perstaprof_stainfo_len;
+		if (offset >= ml_ie_len) {
+			scm_err_rl("incorrect offset value %d", offset);
+			return;
+		}
 
 		/*
 		 * To point to the ie_list offset move past the STA Info