qcacmn: Fix OOB in util_gen_new_ie

For example, If tmp_new[1] = 3, subie_len=160,
tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy will be 159.
In this scenario, while condition gets true (159 <= 160)
In if condition (159 >= 160), we are not breaking the loop in if.
tmp_new will get incremented, tmp_new will point at 159,
tmp_new[1] will point at 160, tmp_new[2] point at 161.
So, we are accessing one byte out-of-bound value.

To fix accessing out-of-bound value subtract one from the subie_len
in while and if condition to avoid this scenario.

Change-Id: I624585323963b6d79acf9ff0f96ec17e0b415c2d
CRs-Fixed: 3358833

umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -3050,7 +3050,7 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
 	 */
 	tmp_new = sub_copy;
 	while (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) <=
-	       subie_len) {
+	       (subie_len - 1)) {
 		if (!(tmp_new[0] == WLAN_ELEMID_NONTX_BSSID_CAP ||
 		      tmp_new[0] == WLAN_ELEMID_SSID ||
 		      tmp_new[0] == WLAN_ELEMID_MULTI_BSSID_IDX ||
@@ -3064,7 +3064,7 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
 			}
 		}
 		if (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) >=
-		    subie_len)
+		    (subie_len - 1))
 			break;
 		tmp_new += tmp_new[1] + MIN_IE_LEN;
 	}