From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
 by mx.groups.io with SMTP id smtpd.web11.1042.1582152460438179906
 for <devel@edk2.groups.io>;
 Wed, 19 Feb 2020 14:47:40 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: nicholas.armour@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Feb 2020 14:47:40 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,462,1574150400"; 
   d="scan'208";a="408590139"
Received: from narmour-mobl5.amr.corp.intel.com ([10.24.12.158])
  by orsmga005.jf.intel.com with ESMTP; 19 Feb 2020 14:47:39 -0800
From: "Armour, Nicholas" <nicholas.armour@intel.com>
To: devel@edk2.groups.io
Cc: Nicholas Armour <nicholas.armour@intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	Siyuan Fu <siyuan.fu@intel.com>
Subject: [PATCH v2 1/1] NetworkPkg/ArpDxe: Recycle invalid ARP packets(CVE-2019-14559).
Date: Wed, 19 Feb 2020 14:47:39 -0800
Message-Id: <30f46ad9ea28b26840f2d9323aaad1871a17d0af.1582152411.git.nicholas.armour@intel.com>
X-Mailer: git-send-email 2.16.2.windows.1
In-Reply-To: <cover.1582152411.git.nicholas.armour@intel.com>
References: <cover.1582152411.git.nicholas.armour@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031

This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
---
 NetworkPkg/ArpDxe/ArpImpl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c
index 9cdb33f2bd66..703fe20cc892 100644
--- a/NetworkPkg/ArpDxe/ArpImpl.c
+++ b/NetworkPkg/ArpDxe/ArpImpl.c
@@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc (
     //
     // Restart the receiving if packet size is not correct.
     //
-    goto RESTART_RECEIVE;
+    goto RECYCLE_RXDATA;
   }
 
   //
@@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc (
   Head->OpCode    = NTOHS (Head->OpCode);
 
   if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {
-    goto RESTART_RECEIVE;
+    goto RECYCLE_RXDATA;
   }
 
   if ((Head->HwType != ArpService->SnpMode.IfType) ||
-- 
2.16.2.windows.1