From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [63.128.21.74])
 by mx.groups.io with SMTP id smtpd.web11.9205.1585136056425704354
 for <devel@edk2.groups.io>;
 Wed, 25 Mar 2020 04:34:16 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MmxlkKtA;
 spf=pass (domain: redhat.com, ip: 63.128.21.74, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1585136055;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SuKK0uZ8no6FilQ5fHeVKfsuc6m3EGcNzzEnX9egv3E=;
	b=MmxlkKtAFbijj/G0PapAvUe29bMaUMhJwsyBq9ZOd9Won2jem4iWy2sr/9X2wI6+1mFpUC
	goA5B/7fVcHb2clBuExHxpKQF5ys6t5HCPt+M3dYD/mdjT5OsHoWRAESNGYPpEA8+SPkVx
	C2IJoFKJPkJ/Akw+4o7Ei69oJafwaDk=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-74-L4ynnL0iOAqoCgW5s2clAw-1; Wed, 25 Mar 2020 07:34:09 -0400
X-MC-Unique: L4ynnL0iOAqoCgW5s2clAw-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 59AB9801E6D;
	Wed, 25 Mar 2020 11:34:08 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-153.ams2.redhat.com [10.36.113.153])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 550065C1B0;
	Wed, 25 Mar 2020 11:34:07 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive flow.
To: Ray Ni <ray.ni@intel.com>, Zhichao Gao <zhichao.gao@intel.com>
Cc: devel@edk2.groups.io, maciej.rabeda@linux.intel.com
References: <20200227110212.1070-1-maciej.rabeda@linux.intel.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <e319a343-543d-74c4-2eaf-a10590b72bf4@redhat.com>
Date: Wed, 25 Mar 2020 12:34:06 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20200227110212.1070-1-maciej.rabeda@linux.intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

Ray, Zhichao,

On 02/27/20 12:02, Maciej Rabeda wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2032
> 
> 'ping' command's receive flow utilizes a single Rx token which it
> attempts to reuse before recycling the previously received packet.
> This causes a situation where under ICMP traffic,
> Ping6OnEchoReplyReceived() function will receive an already
> recycled packet with EFI_SUCCESS token status and finally
> dereference invalid pointers from RxData structure.
> 
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Zhichao Gao <zhichao.gao@intel.com>
> Signed-off-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> ---
>  ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)

can you please review this ShellPkg patch? It's been on the list for
almost a month now.

Thanks
Laszlo

> diff --git a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
> index 23567fa2c1bb..a3fa32515192 100644
> --- a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
> +++ b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
> @@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived (
>  
>  ON_EXIT:
>  
> +  //
> +  // Recycle the packet before reusing RxToken
> +  //
> +  gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal);
> +
>    if (Private->RxCount < Private->SendNum) {
>      //
>      // Continue to receive icmp echo reply packets.
> @@ -632,10 +637,6 @@ ON_EXIT:
>      //
>      Private->Status = EFI_SUCCESS;
>    }
> -  //
> -  // Singal to recycle the each rxdata here, not at the end of process.
> -  //
> -  gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal);
>  }
>  
>  /**
>