From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by mx.groups.io with SMTP id smtpd.web11.1214.1585676540592903966
 for <devel@edk2.groups.io>;
 Tue, 31 Mar 2020 10:42:20 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=none, err=permanent DNS error (domain: linux.intel.com, ip: 134.134.136.24, mailfrom: maciej.rabeda@linux.intel.com)
IronPort-SDR: zFu/6mcv52KSOZzdL7CZmET5lkQ3n0TiX0FHjbuN526pO/sNxY5ViSsXjZy7mjd1R7ulI+an9Q
 t7QZvukm3r4g==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2020 10:42:19 -0700
IronPort-SDR: GUHHfTErAJiWStB9jz9LUgb7IQhKYoYGI2lIChQFNGYrnrQEwQBd57R2KLXmGsHK7KS8oTFHff
 PaOAWnIxEtfQ==
X-IronPort-AV: E=Sophos;i="5.72,328,1580803200"; 
   d="scan'208,217";a="395581188"
Received: from mrabeda-mobl.ger.corp.intel.com (HELO [10.213.8.245]) ([10.213.8.245])
  by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2020 10:42:18 -0700
Subject: Re: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive flow.
To: devel@edk2.groups.io, zhichao.gao@intel.com,
 "Fu, Siyuan" <siyuan.fu@intel.com>, "lersek@redhat.com" <lersek@redhat.com>,
 "Ni, Ray" <ray.ni@intel.com>
References: <20200227110212.1070-1-maciej.rabeda@linux.intel.com>
 <e319a343-543d-74c4-2eaf-a10590b72bf4@redhat.com>
 <B1FF2E9001CE9041BD10B825821D5BC58B9E7E15@SHSMSX103.ccr.corp.intel.com>
 <6dd95320cdd64694803d258a7f781751@intel.com>
From: "Maciej Rabeda" <maciej.rabeda@linux.intel.com>
Message-ID: <60d60f28-1e19-3d47-d8a3-30ebbb05358e@linux.intel.com>
Date: Tue, 31 Mar 2020 19:42:15 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <6dd95320cdd64694803d258a7f781751@intel.com>
Content-Type: multipart/alternative;
 boundary="------------2A8B4A4C17DB135CFDB1EACB"
Content-Language: pl

--------------2A8B4A4C17DB135CFDB1EACB
Content-Type: text/plain; charset=iso-2022-jp; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit

Much appreciated, I'll submit the patch tomorrow :)

On 31-Mar-20 16:50, Gao, Zhichao wrote:
> Acked-by: Zhichao Gao <zhichao.gao@intel.com>
>
>> -----Original Message-----
>> From: Fu, Siyuan <siyuan.fu@intel.com>
>> Sent: Tuesday, March 31, 2020 7:54 PM
>> To: devel@edk2.groups.io; lersek@redhat.com; Ni, Ray <ray.ni@intel.com>;
>> Gao, Zhichao <zhichao.gao@intel.com>
>> Cc: maciej.rabeda@linux.intel.com
>> Subject: RE: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive
>> flow.
>>
>> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
>>
>>> -----Original Message-----
>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo
>>> Ersek
>>> Sent: 2020年3月25日 19:34
>>> To: Ni, Ray <ray.ni@intel.com>; Gao, Zhichao <zhichao.gao@intel.com>
>>> Cc: devel@edk2.groups.io; maciej.rabeda@linux.intel.com
>>> Subject: Re: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4
>>> receive flow.
>>>
>>> Ray, Zhichao,
>>>
>>> On 02/27/20 12:02, Maciej Rabeda wrote:
>>>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2032
>>>>
>>>> 'ping' command's receive flow utilizes a single Rx token which it
>>>> attempts to reuse before recycling the previously received packet.
>>>> This causes a situation where under ICMP traffic,
>>>> Ping6OnEchoReplyReceived() function will receive an already recycled
>>>> packet with EFI_SUCCESS token status and finally dereference invalid
>>>> pointers from RxData structure.
>>>>
>>>> Cc: Ray Ni <ray.ni@intel.com>
>>>> Cc: Zhichao Gao <zhichao.gao@intel.com>
>>>> Signed-off-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>>>> ---
>>>>   ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c | 9 +++++----
>>>>   1 file changed, 5 insertions(+), 4 deletions(-)
>>> can you please review this ShellPkg patch? It's been on the list for
>>> almost a month now.
>>>
>>> Thanks
>>> Laszlo
>>>
>>>> diff --git a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
>>> b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
>>>> index 23567fa2c1bb..a3fa32515192 100644
>>>> --- a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
>>>> +++ b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
>>>> @@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived (
>>>>
>>>>   ON_EXIT:
>>>>
>>>> +  //
>>>> +  // Recycle the packet before reusing RxToken  //
>>>> + gBS->SignalEvent (Private->IpChoice ==
>>> PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private-
>>>> RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private
>>>> - RxToken.Packet.RxData)->RecycleSignal);
>>>> +
>>>>     if (Private->RxCount < Private->SendNum) {
>>>>       //
>>>>       // Continue to receive icmp echo reply packets.
>>>> @@ -632,10 +637,6 @@ ON_EXIT:
>>>>       //
>>>>       Private->Status = EFI_SUCCESS;
>>>>     }
>>>> -  //
>>>> -  // Singal to recycle the each rxdata here, not at the end of process.
>>>> -  //
>>>> -  gBS->SignalEvent (Private->IpChoice ==
>>> PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private-
>>>> RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private
>>>> - RxToken.Packet.RxData)->RecycleSignal);
>>>>   }
>>>>
>>>>   /**
>>>>
>>>
>>>
>
> 
>

--------------2A8B4A4C17DB135CFDB1EACB
Content-Type: text/html; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=ISO-2022-JP">
  </head>
  <body>
    <p><font face="Calibri">Much appreciated, I'll submit the patch
        tomorrow :)</font><br>
    </p>
    <div class="moz-cite-prefix">On 31-Mar-20 16:50, Gao, Zhichao wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:6dd95320cdd64694803d258a7f781751@intel.com">
      <pre class="moz-quote-pre" wrap="">Acked-by: Zhichao Gao <a class="moz-txt-link-rfc2396E" href="mailto:zhichao.gao@intel.com">&lt;zhichao.gao@intel.com&gt;</a>

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">-----Original Message-----
From: Fu, Siyuan <a class="moz-txt-link-rfc2396E" href="mailto:siyuan.fu@intel.com">&lt;siyuan.fu@intel.com&gt;</a>
Sent: Tuesday, March 31, 2020 7:54 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a>; <a class="moz-txt-link-abbreviated" href="mailto:lersek@redhat.com">lersek@redhat.com</a>; Ni, Ray <a class="moz-txt-link-rfc2396E" href="mailto:ray.ni@intel.com">&lt;ray.ni@intel.com&gt;</a>;
Gao, Zhichao <a class="moz-txt-link-rfc2396E" href="mailto:zhichao.gao@intel.com">&lt;zhichao.gao@intel.com&gt;</a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:maciej.rabeda@linux.intel.com">maciej.rabeda@linux.intel.com</a>
Subject: RE: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive
flow.

Reviewed-by: Siyuan Fu <a class="moz-txt-link-rfc2396E" href="mailto:siyuan.fu@intel.com">&lt;siyuan.fu@intel.com&gt;</a>

</pre>
        <blockquote type="cite">
          <pre class="moz-quote-pre" wrap="">-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a> <a class="moz-txt-link-rfc2396E" href="mailto:devel@edk2.groups.io">&lt;devel@edk2.groups.io&gt;</a> On Behalf Of Laszlo
Ersek
Sent: 2020年3月25日 19:34
To: Ni, Ray <a class="moz-txt-link-rfc2396E" href="mailto:ray.ni@intel.com">&lt;ray.ni@intel.com&gt;</a>; Gao, Zhichao <a class="moz-txt-link-rfc2396E" href="mailto:zhichao.gao@intel.com">&lt;zhichao.gao@intel.com&gt;</a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a>; <a class="moz-txt-link-abbreviated" href="mailto:maciej.rabeda@linux.intel.com">maciej.rabeda@linux.intel.com</a>
Subject: Re: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4
receive flow.

Ray, Zhichao,

On 02/27/20 12:02, Maciej Rabeda wrote:
</pre>
          <blockquote type="cite">
            <pre class="moz-quote-pre" wrap="">REF: <a class="moz-txt-link-freetext" href="https://bugzilla.tianocore.org/show_bug.cgi?id=2032">https://bugzilla.tianocore.org/show_bug.cgi?id=2032</a>

'ping' command's receive flow utilizes a single Rx token which it
attempts to reuse before recycling the previously received packet.
This causes a situation where under ICMP traffic,
Ping6OnEchoReplyReceived() function will receive an already recycled
packet with EFI_SUCCESS token status and finally dereference invalid
pointers from RxData structure.

Cc: Ray Ni <a class="moz-txt-link-rfc2396E" href="mailto:ray.ni@intel.com">&lt;ray.ni@intel.com&gt;</a>
Cc: Zhichao Gao <a class="moz-txt-link-rfc2396E" href="mailto:zhichao.gao@intel.com">&lt;zhichao.gao@intel.com&gt;</a>
Signed-off-by: Maciej Rabeda <a class="moz-txt-link-rfc2396E" href="mailto:maciej.rabeda@linux.intel.com">&lt;maciej.rabeda@linux.intel.com&gt;</a>
---
 ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
</pre>
          </blockquote>
          <pre class="moz-quote-pre" wrap="">
can you please review this ShellPkg patch? It's been on the list for
almost a month now.

Thanks
Laszlo

</pre>
          <blockquote type="cite">
            <pre class="moz-quote-pre" wrap="">diff --git a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
</pre>
          </blockquote>
          <pre class="moz-quote-pre" wrap="">b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
</pre>
          <blockquote type="cite">
            <pre class="moz-quote-pre" wrap="">index 23567fa2c1bb..a3fa32515192 100644
--- a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
+++ b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
@@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived (

 ON_EXIT:

+  //
+  // Recycle the packet before reusing RxToken  //
+ gBS-&gt;SignalEvent (Private-&gt;IpChoice ==
</pre>
          </blockquote>
          <pre class="moz-quote-pre" wrap="">PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private-
</pre>
          <blockquote type="cite">
            <pre class="moz-quote-pre" wrap="">RxToken.Packet.RxData)-&gt;RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private
- RxToken.Packet.RxData)-&gt;RecycleSignal);
+
   if (Private-&gt;RxCount &lt; Private-&gt;SendNum) {
     //
     // Continue to receive icmp echo reply packets.
@@ -632,10 +637,6 @@ ON_EXIT:
     //
     Private-&gt;Status = EFI_SUCCESS;
   }
-  //
-  // Singal to recycle the each rxdata here, not at the end of process.
-  //
-  gBS-&gt;SignalEvent (Private-&gt;IpChoice ==
</pre>
          </blockquote>
          <pre class="moz-quote-pre" wrap="">PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private-
</pre>
          <blockquote type="cite">
            <pre class="moz-quote-pre" wrap="">RxToken.Packet.RxData)-&gt;RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private
- RxToken.Packet.RxData)-&gt;RecycleSignal);
 }

 /**

</pre>
          </blockquote>
          <pre class="moz-quote-pre" wrap="">


</pre>
        </blockquote>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">



</pre>
    </blockquote>
  </body>
</html>

--------------2A8B4A4C17DB135CFDB1EACB--