Fix LCI request subelement processing

Commit 4a742011ab ('wpa_supplicant: Handle
LCI request') introduced LCI request parsing in a manner that
incremented the request pointer by four within
wpas_rrm_build_lci_report() without decrementing len correspondingly.
This could potentially result in get_ie() reading four octets beyond the
buffer if a corrupted request is received. This would be applicable only
if the LCI reporting was enabled explicitly ("SET LCI ..." control
interface command).

Fix this by updating the len variable to match the request pointer
changes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

wpa_supplicant/wpa_supplicant.c

@@ -6565,6 +6565,7 @@ static struct wpabuf * wpas_rrm_build_lci_report(struct wpa_supplicant *wpa_s,
 	request++;
 	type = *request++;
 	subject = *request++;
+	len -= 4;
 
 	wpa_printf(MSG_DEBUG,
 		   "Measurement request token %u type %u location subject %u",