diff options
| author | Laszlo Ersek <lersek@redhat.com> | 2016-04-03 11:48:43 +0200 |
|---|---|---|
| committer | Laszlo Ersek <lersek@redhat.com> | 2016-04-04 13:53:12 +0200 |
| commit | 166a6552a829ab680862331449f11970c085f26d (patch) | |
| tree | 6eb62c2226bdbf19511d0c073ca5249cf3d80156 | |
| parent | 00f18da1ca79beccdf71e30689e19e8b2e3a02fd (diff) | |
| download | edk2-platforms-166a6552a829ab680862331449f11970c085f26d.tar.xz | |
MdeModulePkg: DxeUdpIoLib: fix non-empty payload path in UDP reception
Commit 1b31acb66c02 ("MdeModulePkg: Check received packet size before use
it.") introduced a chunk of code under the new "Resume" label, in function
UdpIoOnDgramRcvdDpc(). The new code is supposed to run only when the
received packet has zero-length payload, but a "return" statement was
forgotten, and the code is reached on the normal (nonzero-length payload)
path as well, after the packet has been processed (and possibly freed) by
RxToken->CallBack(). This is a logic bug, with the direct symptom being
use-after-free / General Protection Fault.
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: "Subramanian, Sriram (EG Servers Platform SW)" <sriram-s@hpe.com>
Fixes: 1b31acb66c026f2791c959a4ec9b55c04d583c22
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
| -rw-r--r-- | MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c b/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c index 4f7126d3ce..4861095435 100644 --- a/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c +++ b/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c @@ -303,6 +303,7 @@ UdpIoOnDgramRcvdDpc ( }
RxToken->CallBack (Netbuf, &EndPoint, EFI_SUCCESS, RxToken->Context);
+ return;
Resume:
if (RxToken->UdpIo->UdpVersion == UDP_IO_UDP4_VERSION) {
|