qcacmn: Fix possible buffer overflow in send_scan_start_cmd_tlv

In the function send_scan_start_cmd_tlv(), extraie_len_with_pad
is computed as roundup(params->extraie.len, sizeof(uint32_t)).
But extraie_len_with_pad is of type uint8_t. This causes
integeroverflow of extraie_len_with_pad. The length of the
wmi command buffer for scan command (len) is incremented by
this extraie_len_with_pad to allocate memory for the additional
IEs that are passed from upper layer to the firmware. But when
params->extraie.len is greater than 255, extraie_len_with_pad
overflows and obtains lower value. This causes lower wmi buffer
length allocation but the copy is done for entire
params->extraie.len resulting in overwriting of the skb that is
passed to firmware. This causes host assert when this skb is
freed.

Change the data type of extraie_len_with_pad to uint16_t from
uint8_t as the additional IE sent from upper layer can have a
maximum length of 2048. Also change the data type of len from
int to size_t to avoid overflow of len.

Change-Id: I11fae83a85a3f787b37e47df97ffc4b183cba913
CRs-Fixed: 2405641