From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:400e:c05::243; helo=mail-pg0-x243.google.com; envelope-from=heyi.guo@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-pg0-x243.google.com (mail-pg0-x243.google.com [IPv6:2607:f8b0:400e:c05::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EA6912217CE2A for ; Mon, 11 Dec 2017 03:07:19 -0800 (PST) Received: by mail-pg0-x243.google.com with SMTP id g7so10697794pgs.0 for ; Mon, 11 Dec 2017 03:11:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=MjdP9Q1Byq/Wk9x3CmcmgR3XqykFmAqZG6Vh1RcEK0Q=; b=kuEHZKpSrKmzJKsPJ0JEcP8fwEUit60YIbF2RYGA6Qapea3EK1Wg0G2CQ8e07lSxCs jptUdq4My0/E7vSaotzbNDPqXIT1ghxHmHWgA647q+AIpm4V4E0SHP+ctlEBGWY5SWxP tarUaa+gX34TN4LJSCIfslocn22ndNmxoEfeU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MjdP9Q1Byq/Wk9x3CmcmgR3XqykFmAqZG6Vh1RcEK0Q=; b=M2SxMhzpYzfSUfMJz+m524E3hiMZ934nUbBkL8vA3bfweaFZyPtSrw7pWCB6qk4eU3 8yuL4eHmFhRfOZG7IYKm4H2telBSM9C4u0LIfeIkPUJA3CcmdMdQYOJWin+AJi4iUU9E rF6hGC2KKV6CkQg7VEYJyAKv9PGb8uBoacnZCMUbOrQEF/Cx8S9G0y7u5ITwtB9Wutna 3O67EGGWbmBGrb4dsiG9B2KHhIoMuDLiPqvHr8MEd+vv2ANn7QzevOHQfqtVzyZbYufE CT/iYua3Cxt92Qw78NwU0jDGQCSoH8VaMKANz67asiFnpSii5vtEl/MUBQe2rVhjREF2 r7zA== X-Gm-Message-State: AJaThX7+wS2kZJbu4y6dE2Z00boxtAoNXvYwpeVv/1shg83O2k7XUM0F b7moheotls3QAr7nUJFYWd5s4w== X-Google-Smtp-Source: AGs4zMbu8O0dD5/pZhMyslF1YYH23IOvz7fwBeWAZ2RBRaodW9q9bGcwmTbVXVXXoN0FIFzLdgA0GA== X-Received: by 10.99.132.72 with SMTP id k69mr38469270pgd.437.1512990716956; Mon, 11 Dec 2017 03:11:56 -0800 (PST) Received: from localhost.localdomain ([45.56.152.71]) by smtp.gmail.com with ESMTPSA id t4sm28850887pfj.56.2017.12.11.03.11.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 11 Dec 2017 03:11:56 -0800 (PST) From: Heyi Guo To: linaro-uefi@lists.linaro.org, edk2-devel@lists.01.org Cc: Heyi Guo , Junbiao Hong , Star Zeng , Eric Dong , Ruiyu Ni , Siyuan Fu , Jiaxin Wu Date: Mon, 11 Dec 2017 19:11:48 +0800 Message-Id: <1512990708-87399-1-git-send-email-heyi.guo@linaro.org> X-Mailer: git-send-email 2.7.4 Subject: [PATCH] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 11:07:20 -0000 When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho function, and then call Ip4Output. However, if Ip4Output gets some error and exits early, e.g. fails to find the route entry, memory buffer of "Data" gets no chance to be freed and memory leak will be caused. If there is such an attacker in the network, we will see UEFI runs out of memory and system hangs. So we explicitly free the memory when error status is returned. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Junbiao Hong Signed-off-by: Heyi Guo Reviewed-by: Siyuan Fu Reviewed-by: Jiaxin Wu Cc: Star Zeng Cc: Eric Dong Cc: Ruiyu Ni Cc: Siyuan Fu Cc: Jiaxin Wu --- MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c index b4b0864..ed6bdbe 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( Ip4SysPacketSent, NULL ); + if (EFI_ERROR (Status)) { + NetbufFree (Data); + } ON_EXIT: NetbufFree (Packet); -- 2.7.4