qcacld-3.0: Fix length check csr_retrieve_wpa/rsn_ie functions

Fix length check in csr_retrieve_wpa_ie and csr_retrieve_rsn_ie before
memcopy operation. Buffer passed to these functions is of max legnth
DOT11F_IE_RSN_MAX_LEN.

Change-Id: I87319891cf675865ba9709f5a63bf98cbd5059a2
CRs-Fixed: 1091486

core/mac/inc/sir_mac_prot_def.h

@@ -422,7 +422,6 @@
 
 /* / Maximum length of each IE */
 #define SIR_MAC_RSN_IE_MAX_LENGTH   255
-#define SIR_MAC_WPA_IE_MAX_LENGTH   255
 /* / Minimum length of each IE */
 #define SIR_MAC_RSN_IE_MIN_LENGTH   2
 #define SIR_MAC_WPA_IE_MIN_LENGTH   6

core/sme/src/csr/csr_util.c

@@ -3624,8 +3624,8 @@ uint8_t csr_retrieve_wpa_ie(tHalHandle hHal, tCsrRoamProfile *pProfile,
 		if (!csr_is_profile_wpa(pProfile))
 			break;
 		if (pProfile->nWPAReqIELength && pProfile->pWPAReqIE) {
-			if (SIR_MAC_WPA_IE_MAX_LENGTH >=
-			    pProfile->nWPAReqIELength) {
+			if (pProfile->nWPAReqIELength <=
+					DOT11F_IE_RSN_MAX_LEN) {
 				cbWpaIe = (uint8_t) pProfile->nWPAReqIELength;
 				qdf_mem_copy(pWpaIe, pProfile->pWPAReqIE,
 					     cbWpaIe);
@@ -3665,8 +3665,8 @@ uint8_t csr_retrieve_rsn_ie(tHalHandle hHal, uint32_t sessionId,
 						     pSirBssDesc, pIes, pRsnIe);
 		} else if (pProfile->nRSNReqIELength && pProfile->pRSNReqIE) {
 			/* If you have one started away, re-use it. */
-			if (SIR_MAC_WPA_IE_MAX_LENGTH >=
-			    pProfile->nRSNReqIELength) {
+			if (pProfile->nRSNReqIELength <=
+					DOT11F_IE_RSN_MAX_LEN) {
 				cbRsnIe = (uint8_t) pProfile->nRSNReqIELength;
 				qdf_mem_copy(pRsnIe, pProfile->pRSNReqIE,
 					     cbRsnIe);