From: Heyi Guo <heyi.guo@linaro.org>
To: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org
Cc: Heyi Guo <heyi.guo@linaro.org>,
Junbiao Hong <hongjunbiao@huawei.com>,
Star Zeng <star.zeng@intel.com>, Eric Dong <eric.dong@intel.com>,
Ruiyu Ni <ruiyu.ni@intel.com>, Siyuan Fu <siyuan.fu@intel.com>,
Jiaxin Wu <jiaxin.wu@intel.com>
Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak
Date: Thu, 7 Dec 2017 10:21:47 +0800 [thread overview]
Message-ID: <1512613307-62879-1-git-send-email-heyi.guo@linaro.org> (raw)
When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho
function, and then call Ip4Output. However, if Ip4Output gets some
error and exits early, e.g. fails to find the route entry, memory
buffer of "Data" gets no chance to be freed and memory leak will be
caused. If there is such an attacker in the network, we will see UEFI
runs out of memory and system hangs.
Network stack code is so complicated that this is just a RFC to fix
this issue. Please provide your comments about this.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com>
Signed-off-by: Heyi Guo <heyi.guo@linaro.org>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
---
MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c
index b4b0864..ed6bdbe 100644
--- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c
+++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c
@@ -267,6 +267,9 @@ Ip4IcmpReplyEcho (
Ip4SysPacketSent,
NULL
);
+ if (EFI_ERROR (Status)) {
+ NetbufFree (Data);
+ }
ON_EXIT:
NetbufFree (Packet);
--
2.7.4
next reply other threads:[~2017-12-07 2:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-07 2:21 Heyi Guo [this message]
2017-12-07 2:47 ` [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak Fu, Siyuan
2017-12-07 7:01 ` Wu, Jiaxin
2017-12-07 12:23 ` Heyi Guo
2017-12-08 0:39 ` Wu, Jiaxin
2017-12-08 2:04 ` Guo Heyi
2017-12-08 6:00 ` Guo Heyi
2017-12-11 10:59 ` Guo Heyi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1512613307-62879-1-git-send-email-heyi.guo@linaro.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox