From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:400e:c00::244; helo=mail-pf0-x244.google.com; envelope-from=heyi.guo@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-pf0-x244.google.com (mail-pf0-x244.google.com [IPv6:2607:f8b0:400e:c00::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 92D6A2218E921 for ; Wed, 6 Dec 2017 18:17:54 -0800 (PST) Received: by mail-pf0-x244.google.com with SMTP id j124so3533152pfc.2 for ; Wed, 06 Dec 2017 18:22:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=7jEp8Vsr4Rc1f0PrxKRG9zYjhsAoF4wcxQOPqsr2pFU=; b=OGYNWcUC5JYzfLPmfQ09moEbcpBy+v1Q7fTDni78UpsYfnvc8DMFz67HQ6kfGgvimG 1m30xd1NWfHzWzCP62V1QKFYRWzLVTIsgbk5y1HluP61M9nDyvQgCBPEy1moZJ0uEGXf 2JrRvfu4ly+Y3s5mXDhdepgsEBw6NaLb/6qmE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=7jEp8Vsr4Rc1f0PrxKRG9zYjhsAoF4wcxQOPqsr2pFU=; b=YM+HgaatS00k6FPkwgXrDs/rNvX7ZLnwrSi0bUS8Bzy4yeNy+xshaHtcS+Zpug7JK2 7YTFbA+St8kbFp/w6Tqo1ymy9+NPiRDZ256DAWZN0KXIw0RH1LjxvThJ2abxLW7+6onz 8e9yb9msKvYaUXACUbPzgtMtLZ2DaXENtEEf3x41dc7H2DsfAmuFM3aj0p0nsZbirb4a A6aKLttD7qadliEsd7Kyvj5Ln0YujFPuqnTBXEBCa5DkbuF79uH4dV8VlKWYAr8YDYOL BlKxXyNhkmov9aHsPmPgb5oIZ7aHYLctgAt5IP09CpRMw2FSTWJLfi0fHokF/h1mU6YW oGlg== X-Gm-Message-State: AKGB3mIw+KaW8SlX3AA+LFYsnQZ7uEcvfu65pDclQrlebstSFprCQWfq EAgJaRoDUYJVA8PW+y53cbFYitojU1E= X-Google-Smtp-Source: AGs4zMb9/0j/0X0/JwYVzUYJPqGpcXKBFDSamYFBVnlFQ8YDePsfYqdakrvi4cmSY/NEkKHUkEe3sA== X-Received: by 10.101.86.197 with SMTP id w5mr4838115pgs.190.1512613346686; Wed, 06 Dec 2017 18:22:26 -0800 (PST) Received: from localhost.localdomain ([45.56.155.36]) by smtp.gmail.com with ESMTPSA id o5sm5225139pgv.49.2017.12.06.18.22.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Dec 2017 18:22:26 -0800 (PST) From: Heyi Guo To: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org Cc: Heyi Guo , Junbiao Hong , Star Zeng , Eric Dong , Ruiyu Ni , Siyuan Fu , Jiaxin Wu Date: Thu, 7 Dec 2017 10:21:47 +0800 Message-Id: <1512613307-62879-1-git-send-email-heyi.guo@linaro.org> X-Mailer: git-send-email 2.7.4 Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 02:17:54 -0000 When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho function, and then call Ip4Output. However, if Ip4Output gets some error and exits early, e.g. fails to find the route entry, memory buffer of "Data" gets no chance to be freed and memory leak will be caused. If there is such an attacker in the network, we will see UEFI runs out of memory and system hangs. Network stack code is so complicated that this is just a RFC to fix this issue. Please provide your comments about this. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Junbiao Hong Signed-off-by: Heyi Guo Cc: Star Zeng Cc: Eric Dong Cc: Ruiyu Ni Cc: Siyuan Fu Cc: Jiaxin Wu --- MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c index b4b0864..ed6bdbe 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( Ip4SysPacketSent, NULL ); + if (EFI_ERROR (Status)) { + NetbufFree (Data); + } ON_EXIT: NetbufFree (Packet); -- 2.7.4