qcacmn: Add check to validate ml cap offset

Before passing ml cap offset, there is no proper
check for its validation, which may lead to OOB.

Add a check for its offset, before passing.

Change-Id: I5e5a10e8740b3cd3fcef2c6aef1f0a43c74818cd
CRs-Fixed: 3581103

umac/mlo_mgr/src/utils_mlo.c

@@ -3177,7 +3177,8 @@ util_get_bvmlie_bssparamchangecnt(uint8_t *mlieseq, qdf_size_t mlieseqlen,
 	uint16_t mlcontrol;
 	uint16_t presencebitmap;
 	uint8_t *commoninfo;
-	qdf_size_t commoninfolen;
+	uint8_t commoninfolen;
+	qdf_size_t mldcap_offset;
 
 	if (!mlieseq || !mlieseqlen || !bssparamchangecntfound ||
 	    !bssparamchangecnt)
@@ -3207,21 +3208,31 @@ util_get_bvmlie_bssparamchangecnt(uint8_t *mlieseq, qdf_size_t mlieseqlen,
 				      WLAN_ML_CTRL_PBM_BITS);
 
 	commoninfo = mlieseq + sizeof(struct wlan_ie_multilink);
-	commoninfolen = WLAN_ML_BV_CINFO_LENGTH_SIZE;
+	commoninfolen = *(mlieseq + sizeof(struct wlan_ie_multilink));
 
-	commoninfolen += QDF_MAC_ADDR_SIZE;
+	mldcap_offset = WLAN_ML_BV_CINFO_LENGTH_SIZE;
+
+	mldcap_offset += QDF_MAC_ADDR_SIZE;
 
 	if (presencebitmap & WLAN_ML_BV_CTRL_PBM_LINKIDINFO_P) {
-		commoninfolen += WLAN_ML_BV_CINFO_LINKIDINFO_SIZE;
+		mldcap_offset += WLAN_ML_BV_CINFO_LINKIDINFO_SIZE;
 
-		if ((sizeof(struct wlan_ie_multilink) + commoninfolen) >
+		if ((sizeof(struct wlan_ie_multilink) + mldcap_offset) >
 				mlieseqlen)
 			return QDF_STATUS_E_PROTO;
 	}
 
 	if (presencebitmap & WLAN_ML_BV_CTRL_PBM_BSSPARAMCHANGECNT_P) {
+		if (commoninfolen < (mldcap_offset +
+				     WLAN_ML_BSSPARAMCHNGCNT_SIZE))
+			return QDF_STATUS_E_PROTO;
+
+		if ((sizeof(struct wlan_ie_multilink) + mldcap_offset +
+				WLAN_ML_BSSPARAMCHNGCNT_SIZE) >
+				mlieseqlen)
+			return QDF_STATUS_E_PROTO;
 		*bssparamchangecntfound = true;
-		*bssparamchangecnt = *(commoninfo + commoninfolen);
+		*bssparamchangecnt = *(commoninfo + mldcap_offset);
 	}
 
 	return QDF_STATUS_SUCCESS;