staging: wilc1000: free memory allocated for general info message from firmware

Free allocated memory for failure scenario while processing the
information message received from the firmware. Added NULL check and used
kmemdup in the flow of handling information message.
Signed-off-by: NAjay Singh <ajay.kathat@microchip.com>
Reviewed-by: NClaudiu Beznea <claudiu.beznea@microchip.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/staging/wilc1000/host_interface.c

@@ -1358,16 +1358,15 @@ static inline void host_int_parse_assoc_resp_info(struct wilc_vif *vif,
 
 				if (conn_info.status == SUCCESSFUL_STATUSCODE &&
 				    connect_resp_info->ies) {
-					conn_info.resp_ies_len = connect_resp_info->ies_len;
-					conn_info.resp_ies = kmalloc(connect_resp_info->ies_len, GFP_KERNEL);
-					memcpy(conn_info.resp_ies, connect_resp_info->ies,
-					       connect_resp_info->ies_len);
+					conn_info.resp_ies = kmemdup(connect_resp_info->ies,
+								     connect_resp_info->ies_len,
+								     GFP_KERNEL);
+					if (conn_info.resp_ies)
+						conn_info.resp_ies_len = connect_resp_info->ies_len;
 				}
 
-				if (connect_resp_info) {
-					kfree(connect_resp_info->ies);
-					kfree(connect_resp_info);
-				}
+				kfree(connect_resp_info->ies);
+				kfree(connect_resp_info);
 			}
 		}
 	}
@@ -1393,11 +1392,11 @@ static inline void host_int_parse_assoc_resp_info(struct wilc_vif *vif,
 	}
 
 	if (hif_drv->usr_conn_req.ies) {
-		conn_info.req_ies_len = hif_drv->usr_conn_req.ies_len;
-		conn_info.req_ies = kmalloc(hif_drv->usr_conn_req.ies_len,
+		conn_info.req_ies = kmemdup(conn_info.req_ies,
+					    hif_drv->usr_conn_req.ies_len,
 					    GFP_KERNEL);
-		memcpy(conn_info.req_ies, hif_drv->usr_conn_req.ies,
-		       hif_drv->usr_conn_req.ies_len);
+		if (conn_info.req_ies)
+			conn_info.req_ies_len = hif_drv->usr_conn_req.ies_len;
 	}
 
 	del_timer(&hif_drv->connect_timer);
@@ -1475,17 +1474,25 @@ static s32 handle_rcvd_gnrl_async_info(struct wilc_vif *vif,
 	u8 mac_status_additional_info;
 	struct host_if_drv *hif_drv = vif->hif_drv;
 
+	if (!rcvd_info->buffer) {
+		netdev_err(vif->ndev, "Received buffer is NULL\n");
+		return -EINVAL;
+	}
+
 	if (!hif_drv) {
 		netdev_err(vif->ndev, "Driver handler is NULL\n");
+		kfree(rcvd_info->buffer);
+		rcvd_info->buffer = NULL;
 		return -ENODEV;
 	}
 
 	if (hif_drv->hif_state == HOST_IF_WAITING_CONN_RESP ||
 	    hif_drv->hif_state == HOST_IF_CONNECTED ||
 	    hif_drv->usr_scan_req.scan_result) {
-		if (!rcvd_info->buffer ||
-		    !hif_drv->usr_conn_req.conn_result) {
+		if (!hif_drv->usr_conn_req.conn_result) {
 			netdev_err(vif->ndev, "driver is null\n");
+			kfree(rcvd_info->buffer);
+			rcvd_info->buffer = NULL;
 			return -EINVAL;
 		}
 
@@ -1493,6 +1500,8 @@ static s32 handle_rcvd_gnrl_async_info(struct wilc_vif *vif,
 
 		if ('I' != msg_type) {
 			netdev_err(vif->ndev, "Received Message incorrect.\n");
+			kfree(rcvd_info->buffer);
+			rcvd_info->buffer = NULL;
 			return -EFAULT;
 		}
 
@@ -3539,12 +3548,17 @@ void wilc_gnrl_async_info_received(struct wilc *wilc, u8 *buffer, u32 length)
 	msg.vif = vif;
 
 	msg.body.async_info.len = length;
-	msg.body.async_info.buffer = kmalloc(length, GFP_KERNEL);
-	memcpy(msg.body.async_info.buffer, buffer, length);
+	msg.body.async_info.buffer = kmemdup(buffer, length, GFP_KERNEL);
+	if (!msg.body.async_info.buffer) {
+		mutex_unlock(&hif_deinit_lock);
+		return;
+	}
 
 	result = wilc_enqueue_cmd(&msg);
-	if (result)
+	if (result) {
 		netdev_err(vif->ndev, "synchronous info (%d)\n", result);
+		kfree(msg.body.async_info.buffer);
+	}
 
 	mutex_unlock(&hif_deinit_lock);
 }