From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by mx.groups.io with SMTP id smtpd.web11.10589.1581954301960995182
 for <devel@edk2.groups.io>;
 Mon, 17 Feb 2020 07:45:02 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=none, err=permanent DNS error (domain: linux.intel.com, ip: 192.55.52.93, mailfrom: maciej.rabeda@linux.intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2020 07:45:01 -0800
X-IronPort-AV: E=Sophos;i="5.70,453,1574150400"; 
   d="scan'208";a="223859026"
Received: from mrabeda-mobl.ger.corp.intel.com (HELO [10.102.8.43]) ([10.102.8.43])
  by orsmga007-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Feb 2020 07:45:00 -0800
Subject: Re: [PATCH 1/1] NetworkPkg/ArpDxe: Recycle invalid ARP packets(CVE-2019-14559).
To: "Fu, Siyuan" <siyuan.fu@intel.com>,
 "Armour, Nicholas" <nicholas.armour@intel.com>,
 "devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wu, Jiaxin" <jiaxin.wu@intel.com>
References: <cover.1581551021.git.nicholas.armour@intel.com>
 <bcb81b4d2751ce483cb06b4190046f9daa4fcb5e.1581551021.git.nicholas.armour@intel.com>
 <B1FF2E9001CE9041BD10B825821D5BC58B989326@SHSMSX103.ccr.corp.intel.com>
From: "Maciej Rabeda" <maciej.rabeda@linux.intel.com>
Message-ID: <4b95b702-c544-688d-ef03-8cee6787246b@linux.intel.com>
Date: Mon, 17 Feb 2020 16:44:53 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <B1FF2E9001CE9041BD10B825821D5BC58B989326@SHSMSX103.ccr.corp.intel.com>
Content-Type: text/plain; charset=gbk; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: pl

Hi Nicholas,

Instead of adding gBS->SignalEvent() lines, please utilize 
RECYCLE_RXDATA goto label. You can find the same gBS->SignalEvent() 
being done there.
Additionally, please apply goto change in place pointed by Siyuan.

Thanks,
Maciej

On 17-Feb-20 06:15, Fu, Siyuan wrote:
> Hi, Nicholas
>
> Should the signal recycle event also be added to below if condition?
>
>    if (RxData->DataLength < sizeof (ARP_HEAD)) {
>      //
>      // Restart the receiving if packet size is not correct.
>      //
>      goto RESTART_RECEIVE;
>    }
>
>
> Best Regards
> Siyuan
>
>> -----Original Message-----
>> From: Armour, Nicholas <nicholas.armour@intel.com>
>> Sent: 2020年2月13日 7:54
>> To: devel@edk2.groups.io
>> Cc: Armour, Nicholas <nicholas.armour@intel.com>; Wu, Jiaxin
>> <jiaxin.wu@intel.com>; Maciej Rabeda <maciej.rabeda@linux.intel.com>; Fu,
>> Siyuan <siyuan.fu@intel.com>
>> Subject: [PATCH 1/1] NetworkPkg/ArpDxe: Recycle invalid ARP packets(CVE-
>> 2019-14559).
>>
>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
>>
>> This patch triggers the RecycleEvent for invalid ARP packets.
>> Prior to this, we would just ignore invalid ARP packets,
>> and never free them.
>>
>> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
>> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>> Cc: Siyuan Fu <siyuan.fu@intel.com>
>> Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
>> ---
>>   NetworkPkg/ArpDxe/ArpImpl.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c
>> index 9cdb33f2bd66..09fc8811f125 100644
>> --- a/NetworkPkg/ArpDxe/ArpImpl.c
>> +++ b/NetworkPkg/ArpDxe/ArpImpl.c
>> @@ -125,6 +125,7 @@ ArpOnFrameRcvdDpc (
>>     Head->OpCode    = NTOHS (Head->OpCode);
>>
>>     if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 *
>> Head->ProtoAddrLen)) {
>> +    gBS->SignalEvent (RxData->RecycleEvent);
>>       goto RESTART_RECEIVE;
>>     }
>>
>> --
>> 2.16.2.windows.1