qcacmn: Avoid NULL pointer dereference in nl_srv

Currently nl_srv_bcast() and nl_srv_ucast() allocate a temporary
buffer to hold the netlink message which is subsequently sent to
userspace. The value returned by qdf_mem_malloc() is not checked for
NULL, and hence if NULL is returned it will be dereferenced.
However in reality a temporary buffer is not required. Update the
functions to directly send the message from the skb.

Change-Id: Ia12e1695498323c4e29b8280b9265c20393a2fe7
CRs-Fixed: 2111674

utils/nlink/src/wlan_nlink_srv.c

@@ -493,22 +493,17 @@ int nl_srv_bcast(struct sk_buff *skb, int mcgroup_id, int app_id)
 	struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
 	void *msg = NLMSG_DATA(nlh);
 	uint32_t msg_len = nlmsg_len(nlh);
-	uint8_t *tempbuf;
 	int status;
 
-	tempbuf = (uint8_t *)qdf_mem_malloc(msg_len);
-	qdf_mem_copy(tempbuf, msg, msg_len);
-	status = send_msg_to_cld80211(mcgroup_id, 0, app_id, tempbuf, msg_len);
+	status = send_msg_to_cld80211(mcgroup_id, 0, app_id, msg, msg_len);
 	if (status) {
 		QDF_TRACE(QDF_MODULE_ID_HDD, QDF_TRACE_LEVEL_ERROR,
 			"send msg to cld80211 fails for app id %d", app_id);
 		dev_kfree_skb(skb);
-		qdf_mem_free(tempbuf);
 		return -EPERM;
 	}
 
 	dev_kfree_skb(skb);
-	qdf_mem_free(tempbuf);
 	return 0;
 }
 qdf_export_symbol(nl_srv_bcast);
@@ -534,23 +529,18 @@ int nl_srv_ucast(struct sk_buff *skb, int dst_pid, int flag,
 	struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
 	void *msg = NLMSG_DATA(nlh);
 	uint32_t msg_len = nlmsg_len(nlh);
-	uint8_t *tempbuf;
 	int status;
 
-	tempbuf = (uint8_t *)qdf_mem_malloc(msg_len);
-	qdf_mem_copy(tempbuf, msg, msg_len);
 	status = send_msg_to_cld80211(mcgroup_id, dst_pid, app_id,
-					tempbuf, msg_len);
+					msg, msg_len);
 	if (status) {
 		QDF_TRACE(QDF_MODULE_ID_HDD, QDF_TRACE_LEVEL_ERROR,
 			"send msg to cld80211 fails for app id %d", app_id);
 		dev_kfree_skb(skb);
-		qdf_mem_free(tempbuf);
 		return -EPERM;
 	}
 
 	dev_kfree_skb(skb);
-	qdf_mem_free(tempbuf);
 	return 0;
 }
 #else