qcacld-3.0: Fix potential integer underflow in lim_parse_kde_elements

In function lim_parse_kde_elements, elem_len is obtained from the
assoc response IE buffer and is used to decrement rem_len in the
while loop. If the value of elem_len is greater than rem_len, an
integer underflow would happen to rem_len leading to buffer overread.
Also, if elem_len is greater than kde_list_len, a buffer overread
would occur when incrementing the temp_ie pointer.

Add sanity check to make sure elem_len is not greater than
kde_list_len or rem_len.

Change-Id: If126bb0e14b57f3594679b91d54cc0f1ffaa6f66
CRs-Fixed: 2152946

core/mac/src/pe/lim/lim_process_fils.c

@@ -1345,6 +1345,12 @@ static QDF_STATUS lim_parse_kde_elements(tpAniSirGlobal mac_ctx,
 		elem_len = *temp_ie++;
 		rem_len -= 2;
 
+		if (rem_len < elem_len || elem_len > kde_list_len) {
+			pe_err("Invalid elem_len %d rem_len %d list_len %d",
+				elem_len, rem_len, kde_list_len);
+			return QDF_STATUS_E_FAILURE;
+		}
+
 		if (lim_check_if_vendor_oui_match(mac_ctx, KDE_OUI_TYPE,
 				KDE_OUI_TYPE_SIZE, current_ie, elem_len)) {