From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31])
 by mx.groups.io with SMTP id smtpd.web11.1205.1581551614339077865
 for <devel@edk2.groups.io>;
 Wed, 12 Feb 2020 15:53:34 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: nicholas.armour@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Feb 2020 15:53:33 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,434,1574150400"; 
   d="scan'208";a="237868429"
Received: from narmour-mobl5.amr.corp.intel.com ([10.24.13.11])
  by orsmga006.jf.intel.com with ESMTP; 12 Feb 2020 15:53:33 -0800
From: "Armour, Nicholas" <nicholas.armour@intel.com>
To: devel@edk2.groups.io
Cc: Nicholas Armour <nicholas.armour@intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	Siyuan Fu <siyuan.fu@intel.com>
Subject: [PATCH 1/1] NetworkPkg/ArpDxe: Recycle invalid ARP packets(CVE-2019-14559).
Date: Wed, 12 Feb 2020 15:53:30 -0800
Message-Id: <bcb81b4d2751ce483cb06b4190046f9daa4fcb5e.1581551021.git.nicholas.armour@intel.com>
X-Mailer: git-send-email 2.16.2.windows.1
In-Reply-To: <cover.1581551021.git.nicholas.armour@intel.com>
References: <cover.1581551021.git.nicholas.armour@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031

This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
---
 NetworkPkg/ArpDxe/ArpImpl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c
index 9cdb33f2bd66..09fc8811f125 100644
--- a/NetworkPkg/ArpDxe/ArpImpl.c
+++ b/NetworkPkg/ArpDxe/ArpImpl.c
@@ -125,6 +125,7 @@ ArpOnFrameRcvdDpc (
   Head->OpCode    = NTOHS (Head->OpCode);
 
   if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {
+    gBS->SignalEvent (RxData->RecycleEvent);
     goto RESTART_RECEIVE;
   }
 
-- 
2.16.2.windows.1