qcacld-3.0: Fix incorrect typecasting of ext ie

The extended cap IE from the hostapd is of variable
length, but it is always type casted to a fixed length
of 11 octets. This leads to OOB access of memory and
incorrect data gets read. In this case, beacon protection
is not enabled in the ext cap IE, but due to OOB access
beacon protection is read as 1.

Fix the OOB access by typecasting the IE to the length of
the IE.

Change-Id: Id9a54e3467fa9f7a49687da41411a421fd9c9d37
CRs-Fixed: 3178294

core/hdd/src/wlan_hdd_hostapd.c

@@ -5690,7 +5690,7 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *adapter,
 	bool bval = false;
 	bool enable_dfs_scan = true;
 	bool deliver_start_evt = true;
-	struct s_ext_cap *p_ext_cap;
+	struct s_ext_cap p_ext_cap = {0};
 	enum reg_phymode reg_phy_mode, updated_phy_mode;
 	struct sap_context *sap_ctx;
 	struct wlan_objmgr_vdev *vdev;
@@ -5837,13 +5837,16 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *adapter,
 		if (ie) {
 			bool target_bigtk_support = false;
 
-			p_ext_cap = (struct s_ext_cap *)(&ie[2]);
-			hdd_err("beacon protection %d",
-				p_ext_cap->beacon_protection_enable);
+			memcpy(&p_ext_cap, &ie[2], (ie[1] > sizeof(p_ext_cap)) ?
+			       sizeof(p_ext_cap) : ie[1]);
+
+			hdd_debug("beacon protection %d",
+				  p_ext_cap.beacon_protection_enable);
+
 			ucfg_mlme_get_bigtk_support(hdd_ctx->psoc,
 						    &target_bigtk_support);
 			if (target_bigtk_support &&
-			    p_ext_cap->beacon_protection_enable)
+			    p_ext_cap.beacon_protection_enable)
 				mlme_set_bigtk_support(vdev, true);
 		}