staging: wilc1000: free memory allocated for general info message from firmware

Free allocated memory for failure scenario while processing the information message received from the firmware. Added NULL check and used kmemdup in the flow of handling information message. Signed-off-by: Ajay Singh <ajay.kathat@microchip.com> Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-03-06 20:59:54 +01:00 · 2018-03-26 17:16:03 +05:30 · 2018-03-26 17:16:03 +05:30 · fe014d4e6b
commit fe014d4e6b
parent 158152be0a
1 changed files with 31 additions and 17 deletions
--- a/drivers/staging/wilc1000/host_interface.c
+++ b/drivers/staging/wilc1000/host_interface.c
@ -1358,16 +1358,15 @@ static inline void host_int_parse_assoc_resp_info(struct wilc_vif *vif,
 				if (conn_info.status == SUCCESSFUL_STATUSCODE &&
 				    connect_resp_info->ies) {
-					conn_info.resp_ies_len = connect_resp_info->ies_len;
+					conn_info.resp_ies = kmemdup(connect_resp_info->ies,
-					conn_info.resp_ies = kmalloc(connect_resp_info->ies_len, GFP_KERNEL);
+								     connect_resp_info->ies_len,
-					memcpy(conn_info.resp_ies, connect_resp_info->ies,
+								     GFP_KERNEL);
-					       connect_resp_info->ies_len);
+					if (conn_info.resp_ies)
 						conn_info.resp_ies_len = connect_resp_info->ies_len;
 				}
-				if (connect_resp_info) {
+				kfree(connect_resp_info->ies);
-					kfree(connect_resp_info->ies);
+				kfree(connect_resp_info);
 					kfree(connect_resp_info);
 				}
 			}
 		}
 	}
@ -1393,11 +1392,11 @@ static inline void host_int_parse_assoc_resp_info(struct wilc_vif *vif,
 	}
 	if (hif_drv->usr_conn_req.ies) {
-		conn_info.req_ies_len = hif_drv->usr_conn_req.ies_len;
+		conn_info.req_ies = kmemdup(conn_info.req_ies,
-		conn_info.req_ies = kmalloc(hif_drv->usr_conn_req.ies_len,
+					    hif_drv->usr_conn_req.ies_len,
 					    GFP_KERNEL);
-		memcpy(conn_info.req_ies, hif_drv->usr_conn_req.ies,
+		if (conn_info.req_ies)
-		       hif_drv->usr_conn_req.ies_len);
+			conn_info.req_ies_len = hif_drv->usr_conn_req.ies_len;
 	}
 	del_timer(&hif_drv->connect_timer);
@ -1475,17 +1474,25 @@ static s32 handle_rcvd_gnrl_async_info(struct wilc_vif *vif,
 	u8 mac_status_additional_info;
 	struct host_if_drv *hif_drv = vif->hif_drv;
 	if (!rcvd_info->buffer) {
 		netdev_err(vif->ndev, "Received buffer is NULL\n");
 		return -EINVAL;
 	}
 	if (!hif_drv) {
 		netdev_err(vif->ndev, "Driver handler is NULL\n");
 		kfree(rcvd_info->buffer);
 		rcvd_info->buffer = NULL;
 		return -ENODEV;
 	}
 	if (hif_drv->hif_state == HOST_IF_WAITING_CONN_RESP ||
 	    hif_drv->hif_state == HOST_IF_CONNECTED ||
 	    hif_drv->usr_scan_req.scan_result) {
-		if (!rcvd_info->buffer ||
+		if (!hif_drv->usr_conn_req.conn_result) {
 		    !hif_drv->usr_conn_req.conn_result) {
 			netdev_err(vif->ndev, "driver is null\n");
 			kfree(rcvd_info->buffer);
 			rcvd_info->buffer = NULL;
 			return -EINVAL;
 		}
@ -1493,6 +1500,8 @@ static s32 handle_rcvd_gnrl_async_info(struct wilc_vif *vif,
 		if ('I' != msg_type) {
 			netdev_err(vif->ndev, "Received Message incorrect.\n");
 			kfree(rcvd_info->buffer);
 			rcvd_info->buffer = NULL;
 			return -EFAULT;
 		}
@ -3539,12 +3548,17 @@ void wilc_gnrl_async_info_received(struct wilc *wilc, u8 *buffer, u32 length)
 	msg.vif = vif;
 	msg.body.async_info.len = length;
-	msg.body.async_info.buffer = kmalloc(length, GFP_KERNEL);
+	msg.body.async_info.buffer = kmemdup(buffer, length, GFP_KERNEL);
-	memcpy(msg.body.async_info.buffer, buffer, length);
+	if (!msg.body.async_info.buffer) {
 		mutex_unlock(&hif_deinit_lock);
 		return;
 	}
 	result = wilc_enqueue_cmd(&msg);
-	if (result)
+	if (result) {
 		netdev_err(vif->ndev, "synchronous info (%d)\n", result);
 		kfree(msg.body.async_info.buffer);
 	}
 	mutex_unlock(&hif_deinit_lock);
 }