diff options
| -rw-r--r-- | drivers/staging/wilc1000/host_interface.c | 48 |
1 files changed, 31 insertions, 17 deletions
diff --git a/drivers/staging/wilc1000/host_interface.c b/drivers/staging/wilc1000/host_interface.c index 021eba4a726e..1b32e717099b 100644 --- a/drivers/staging/wilc1000/host_interface.c +++ b/drivers/staging/wilc1000/host_interface.c @@ -1358,16 +1358,15 @@ static inline void host_int_parse_assoc_resp_info(struct wilc_vif *vif, if (conn_info.status == SUCCESSFUL_STATUSCODE && connect_resp_info->ies) { - conn_info.resp_ies_len = connect_resp_info->ies_len; - conn_info.resp_ies = kmalloc(connect_resp_info->ies_len, GFP_KERNEL); - memcpy(conn_info.resp_ies, connect_resp_info->ies, - connect_resp_info->ies_len); + conn_info.resp_ies = kmemdup(connect_resp_info->ies, + connect_resp_info->ies_len, + GFP_KERNEL); + if (conn_info.resp_ies) + conn_info.resp_ies_len = connect_resp_info->ies_len; } - if (connect_resp_info) { - kfree(connect_resp_info->ies); - kfree(connect_resp_info); - } + kfree(connect_resp_info->ies); + kfree(connect_resp_info); } } } @@ -1393,11 +1392,11 @@ static inline void host_int_parse_assoc_resp_info(struct wilc_vif *vif, } if (hif_drv->usr_conn_req.ies) { - conn_info.req_ies_len = hif_drv->usr_conn_req.ies_len; - conn_info.req_ies = kmalloc(hif_drv->usr_conn_req.ies_len, + conn_info.req_ies = kmemdup(conn_info.req_ies, + hif_drv->usr_conn_req.ies_len, GFP_KERNEL); - memcpy(conn_info.req_ies, hif_drv->usr_conn_req.ies, - hif_drv->usr_conn_req.ies_len); + if (conn_info.req_ies) + conn_info.req_ies_len = hif_drv->usr_conn_req.ies_len; } del_timer(&hif_drv->connect_timer); @@ -1475,17 +1474,25 @@ static s32 handle_rcvd_gnrl_async_info(struct wilc_vif *vif, u8 mac_status_additional_info; struct host_if_drv *hif_drv = vif->hif_drv; + if (!rcvd_info->buffer) { + netdev_err(vif->ndev, "Received buffer is NULL\n"); + return -EINVAL; + } + if (!hif_drv) { netdev_err(vif->ndev, "Driver handler is NULL\n"); + kfree(rcvd_info->buffer); + rcvd_info->buffer = NULL; return -ENODEV; } if (hif_drv->hif_state == HOST_IF_WAITING_CONN_RESP || hif_drv->hif_state == HOST_IF_CONNECTED || hif_drv->usr_scan_req.scan_result) { - if (!rcvd_info->buffer || - !hif_drv->usr_conn_req.conn_result) { + if (!hif_drv->usr_conn_req.conn_result) { netdev_err(vif->ndev, "driver is null\n"); + kfree(rcvd_info->buffer); + rcvd_info->buffer = NULL; return -EINVAL; } @@ -1493,6 +1500,8 @@ static s32 handle_rcvd_gnrl_async_info(struct wilc_vif *vif, if ('I' != msg_type) { netdev_err(vif->ndev, "Received Message incorrect.\n"); + kfree(rcvd_info->buffer); + rcvd_info->buffer = NULL; return -EFAULT; } @@ -3539,12 +3548,17 @@ void wilc_gnrl_async_info_received(struct wilc *wilc, u8 *buffer, u32 length) msg.vif = vif; msg.body.async_info.len = length; - msg.body.async_info.buffer = kmalloc(length, GFP_KERNEL); - memcpy(msg.body.async_info.buffer, buffer, length); + msg.body.async_info.buffer = kmemdup(buffer, length, GFP_KERNEL); + if (!msg.body.async_info.buffer) { + mutex_unlock(&hif_deinit_lock); + return; + } result = wilc_enqueue_cmd(&msg); - if (result) + if (result) { netdev_err(vif->ndev, "synchronous info (%d)\n", result); + kfree(msg.body.async_info.buffer); + } mutex_unlock(&hif_deinit_lock); } |