| Message ID | 1512613307-62879-1-git-send-email-heyi.guo@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [edk2,RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak | expand |
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com> > -----Original Message----- > From: Heyi Guo [mailto:heyi.guo@linaro.org] > Sent: Thursday, December 7, 2017 10:22 AM > To: linaro-uefi@lists.linaro.org; edk2-devel@lists.01.org > Cc: Heyi Guo <heyi.guo@linaro.org>; Junbiao Hong <hongjunbiao@huawei.com>; > Zeng, Star <star.zeng@intel.com>; Dong, Eric <eric.dong@intel.com>; Ni, > Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin > <jiaxin.wu@intel.com> > Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho > function, and then call Ip4Output. However, if Ip4Output gets some > error and exits early, e.g. fails to find the route entry, memory > buffer of "Data" gets no chance to be freed and memory leak will be > caused. If there is such an attacker in the network, we will see UEFI > runs out of memory and system hangs. > > Network stack code is so complicated that this is just a RFC to fix > this issue. Please provide your comments about this. > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com> > Signed-off-by: Heyi Guo <heyi.guo@linaro.org> > Cc: Star Zeng <star.zeng@intel.com> > Cc: Eric Dong <eric.dong@intel.com> > Cc: Ruiyu Ni <ruiyu.ni@intel.com> > Cc: Siyuan Fu <siyuan.fu@intel.com> > Cc: Jiaxin Wu <jiaxin.wu@intel.com> > --- > MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > index b4b0864..ed6bdbe 100644 > --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( > Ip4SysPacketSent, > NULL > ); > + if (EFI_ERROR (Status)) { > + NetbufFree (Data); > + } > > ON_EXIT: > NetbufFree (Packet); > -- > 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
It's is good to me. Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> Thanks, Jiaxin > -----Original Message----- > From: Heyi Guo [mailto:heyi.guo@linaro.org] > Sent: Thursday, December 7, 2017 10:22 AM > To: linaro-uefi@lists.linaro.org; edk2-devel@lists.01.org > Cc: Heyi Guo <heyi.guo@linaro.org>; Junbiao Hong > <hongjunbiao@huawei.com>; Zeng, Star <star.zeng@intel.com>; Dong, Eric > <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan > <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com> > Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho > function, and then call Ip4Output. However, if Ip4Output gets some > error and exits early, e.g. fails to find the route entry, memory > buffer of "Data" gets no chance to be freed and memory leak will be > caused. If there is such an attacker in the network, we will see UEFI > runs out of memory and system hangs. > > Network stack code is so complicated that this is just a RFC to fix > this issue. Please provide your comments about this. > > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com> > Signed-off-by: Heyi Guo <heyi.guo@linaro.org> > Cc: Star Zeng <star.zeng@intel.com> > Cc: Eric Dong <eric.dong@intel.com> > Cc: Ruiyu Ni <ruiyu.ni@intel.com> > Cc: Siyuan Fu <siyuan.fu@intel.com> > Cc: Jiaxin Wu <jiaxin.wu@intel.com> > --- > MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > index b4b0864..ed6bdbe 100644 > --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( > Ip4SysPacketSent, > NULL > ); > + if (EFI_ERROR (Status)) { > + NetbufFree (Data); > + } > > ON_EXIT: > NetbufFree (Packet); > -- > 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Hi Siyuan and Jiaxin, Thanks for your review; shall I generate a formal patch and post it again, as well as making some commit message refinement? Regards, Gary (Heyi Guo) 在 12/7/2017 3:01 PM, Wu, Jiaxin 写道: > It's is good to me. > > Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> > > Thanks, > Jiaxin > > >> -----Original Message----- >> From: Heyi Guo [mailto:heyi.guo@linaro.org] >> Sent: Thursday, December 7, 2017 10:22 AM >> To: linaro-uefi@lists.linaro.org; edk2-devel@lists.01.org >> Cc: Heyi Guo <heyi.guo@linaro.org>; Junbiao Hong >> <hongjunbiao@huawei.com>; Zeng, Star <star.zeng@intel.com>; Dong, Eric >> <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan >> <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com> >> Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak >> >> When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho >> function, and then call Ip4Output. However, if Ip4Output gets some >> error and exits early, e.g. fails to find the route entry, memory >> buffer of "Data" gets no chance to be freed and memory leak will be >> caused. If there is such an attacker in the network, we will see UEFI >> runs out of memory and system hangs. >> >> Network stack code is so complicated that this is just a RFC to fix >> this issue. Please provide your comments about this. >> >> Contributed-under: TianoCore Contribution Agreement 1.1 >> Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com> >> Signed-off-by: Heyi Guo <heyi.guo@linaro.org> >> Cc: Star Zeng <star.zeng@intel.com> >> Cc: Eric Dong <eric.dong@intel.com> >> Cc: Ruiyu Ni <ruiyu.ni@intel.com> >> Cc: Siyuan Fu <siyuan.fu@intel.com> >> Cc: Jiaxin Wu <jiaxin.wu@intel.com> >> --- >> MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c >> b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c >> index b4b0864..ed6bdbe 100644 >> --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c >> +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c >> @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( >> Ip4SysPacketSent, >> NULL >> ); >> + if (EFI_ERROR (Status)) { >> + NetbufFree (Data); >> + } >> >> ON_EXIT: >> NetbufFree (Packet); >> -- >> 2.7.4
Hi Gary, Agree to generate a formal patch. You can attach the reviewed-by tag at the same time. Can you help to file one Bugzilla for this issue? BTW, Do you need us commit the patch or by yourself? Thanks, Jiaxin > -----Original Message----- > From: Heyi Guo [mailto:heyi.guo@linaro.org] > Sent: Thursday, December 7, 2017 8:23 PM > To: Wu, Jiaxin <jiaxin.wu@intel.com>; linaro-uefi@lists.linaro.org; edk2- > devel@lists.01.org; Fu, Siyuan <siyuan.fu@intel.com> > Cc: Junbiao Hong <hongjunbiao@huawei.com>; Zeng, Star > <star.zeng@intel.com>; Dong, Eric <eric.dong@intel.com>; Ni, Ruiyu > <ruiyu.ni@intel.com> > Subject: Re: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > Hi Siyuan and Jiaxin, > > Thanks for your review; shall I generate a formal patch and post it > again, as well as making some commit message refinement? > > Regards, > > > Gary (Heyi Guo) > > > 在 12/7/2017 3:01 PM, Wu, Jiaxin 写道: > > It's is good to me. > > > > Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> > > > > Thanks, > > Jiaxin > > > > > >> -----Original Message----- > >> From: Heyi Guo [mailto:heyi.guo@linaro.org] > >> Sent: Thursday, December 7, 2017 10:22 AM > >> To: linaro-uefi@lists.linaro.org; edk2-devel@lists.01.org > >> Cc: Heyi Guo <heyi.guo@linaro.org>; Junbiao Hong > >> <hongjunbiao@huawei.com>; Zeng, Star <star.zeng@intel.com>; Dong, > Eric > >> <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan > >> <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com> > >> Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > >> > >> When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho > >> function, and then call Ip4Output. However, if Ip4Output gets some > >> error and exits early, e.g. fails to find the route entry, memory > >> buffer of "Data" gets no chance to be freed and memory leak will be > >> caused. If there is such an attacker in the network, we will see UEFI > >> runs out of memory and system hangs. > >> > >> Network stack code is so complicated that this is just a RFC to fix > >> this issue. Please provide your comments about this. > >> > >> Contributed-under: TianoCore Contribution Agreement 1.1 > >> Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com> > >> Signed-off-by: Heyi Guo <heyi.guo@linaro.org> > >> Cc: Star Zeng <star.zeng@intel.com> > >> Cc: Eric Dong <eric.dong@intel.com> > >> Cc: Ruiyu Ni <ruiyu.ni@intel.com> > >> Cc: Siyuan Fu <siyuan.fu@intel.com> > >> Cc: Jiaxin Wu <jiaxin.wu@intel.com> > >> --- > >> MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ > >> 1 file changed, 3 insertions(+) > >> > >> diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > >> b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > >> index b4b0864..ed6bdbe 100644 > >> --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > >> +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > >> @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( > >> Ip4SysPacketSent, > >> NULL > >> ); > >> + if (EFI_ERROR (Status)) { > >> + NetbufFree (Data); > >> + } > >> > >> ON_EXIT: > >> NetbufFree (Packet); > >> -- > >> 2.7.4
On Fri, Dec 08, 2017 at 12:39:30AM +0000, Wu, Jiaxin wrote: > Hi Gary, > > Agree to generate a formal patch. You can attach the reviewed-by tag at the same time. > > Can you help to file one Bugzilla for this issue? No Problem. > > BTW, Do you need us commit the patch or by yourself? Yes, for I can't commit by myself :) Thanks and regards, Gary (Heyi Guo) > > Thanks, > Jiaxin > > > -----Original Message----- > > From: Heyi Guo [mailto:heyi.guo@linaro.org] > > Sent: Thursday, December 7, 2017 8:23 PM > > To: Wu, Jiaxin <jiaxin.wu@intel.com>; linaro-uefi@lists.linaro.org; edk2- > > devel@lists.01.org; Fu, Siyuan <siyuan.fu@intel.com> > > Cc: Junbiao Hong <hongjunbiao@huawei.com>; Zeng, Star > > <star.zeng@intel.com>; Dong, Eric <eric.dong@intel.com>; Ni, Ruiyu > > <ruiyu.ni@intel.com> > > Subject: Re: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > > > Hi Siyuan and Jiaxin, > > > > Thanks for your review; shall I generate a formal patch and post it > > again, as well as making some commit message refinement? > > > > Regards, > > > > > > Gary (Heyi Guo) > > > > > > 在 12/7/2017 3:01 PM, Wu, Jiaxin 写道: > > > It's is good to me. > > > > > > Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> > > > > > > Thanks, > > > Jiaxin > > > > > > > > >> -----Original Message----- > > >> From: Heyi Guo [mailto:heyi.guo@linaro.org] > > >> Sent: Thursday, December 7, 2017 10:22 AM > > >> To: linaro-uefi@lists.linaro.org; edk2-devel@lists.01.org > > >> Cc: Heyi Guo <heyi.guo@linaro.org>; Junbiao Hong > > >> <hongjunbiao@huawei.com>; Zeng, Star <star.zeng@intel.com>; Dong, > > Eric > > >> <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan > > >> <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com> > > >> Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > >> > > >> When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho > > >> function, and then call Ip4Output. However, if Ip4Output gets some > > >> error and exits early, e.g. fails to find the route entry, memory > > >> buffer of "Data" gets no chance to be freed and memory leak will be > > >> caused. If there is such an attacker in the network, we will see UEFI > > >> runs out of memory and system hangs. > > >> > > >> Network stack code is so complicated that this is just a RFC to fix > > >> this issue. Please provide your comments about this. > > >> > > >> Contributed-under: TianoCore Contribution Agreement 1.1 > > >> Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com> > > >> Signed-off-by: Heyi Guo <heyi.guo@linaro.org> > > >> Cc: Star Zeng <star.zeng@intel.com> > > >> Cc: Eric Dong <eric.dong@intel.com> > > >> Cc: Ruiyu Ni <ruiyu.ni@intel.com> > > >> Cc: Siyuan Fu <siyuan.fu@intel.com> > > >> Cc: Jiaxin Wu <jiaxin.wu@intel.com> > > >> --- > > >> MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ > > >> 1 file changed, 3 insertions(+) > > >> > > >> diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > >> b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > >> index b4b0864..ed6bdbe 100644 > > >> --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > >> +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > >> @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( > > >> Ip4SysPacketSent, > > >> NULL > > >> ); > > >> + if (EFI_ERROR (Status)) { > > >> + NetbufFree (Data); > > >> + } > > >> > > >> ON_EXIT: > > >> NetbufFree (Packet); > > >> -- > > >> 2.7.4 >
Hi Jiaxin, We are still having our QA to finally verify the patches (including the ICMP error listener bug fix), so I will post the formal patch after regression test completes. Regards, Gary (Heyi Guo) On Fri, Dec 08, 2017 at 10:04:20AM +0800, Guo Heyi wrote: > On Fri, Dec 08, 2017 at 12:39:30AM +0000, Wu, Jiaxin wrote: > > Hi Gary, > > > > Agree to generate a formal patch. You can attach the reviewed-by tag at the same time. > > > > Can you help to file one Bugzilla for this issue? > > No Problem. > > > > > BTW, Do you need us commit the patch or by yourself? > > Yes, for I can't commit by myself :) > > Thanks and regards, > > Gary (Heyi Guo) > > > > > Thanks, > > Jiaxin > > > > > -----Original Message----- > > > From: Heyi Guo [mailto:heyi.guo@linaro.org] > > > Sent: Thursday, December 7, 2017 8:23 PM > > > To: Wu, Jiaxin <jiaxin.wu@intel.com>; linaro-uefi@lists.linaro.org; edk2- > > > devel@lists.01.org; Fu, Siyuan <siyuan.fu@intel.com> > > > Cc: Junbiao Hong <hongjunbiao@huawei.com>; Zeng, Star > > > <star.zeng@intel.com>; Dong, Eric <eric.dong@intel.com>; Ni, Ruiyu > > > <ruiyu.ni@intel.com> > > > Subject: Re: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > > > > > Hi Siyuan and Jiaxin, > > > > > > Thanks for your review; shall I generate a formal patch and post it > > > again, as well as making some commit message refinement? > > > > > > Regards, > > > > > > > > > Gary (Heyi Guo) > > > > > > > > > 在 12/7/2017 3:01 PM, Wu, Jiaxin 写道: > > > > It's is good to me. > > > > > > > > Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> > > > > > > > > Thanks, > > > > Jiaxin > > > > > > > > > > > >> -----Original Message----- > > > >> From: Heyi Guo [mailto:heyi.guo@linaro.org] > > > >> Sent: Thursday, December 7, 2017 10:22 AM > > > >> To: linaro-uefi@lists.linaro.org; edk2-devel@lists.01.org > > > >> Cc: Heyi Guo <heyi.guo@linaro.org>; Junbiao Hong > > > >> <hongjunbiao@huawei.com>; Zeng, Star <star.zeng@intel.com>; Dong, > > > Eric > > > >> <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan > > > >> <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com> > > > >> Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > > >> > > > >> When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho > > > >> function, and then call Ip4Output. However, if Ip4Output gets some > > > >> error and exits early, e.g. fails to find the route entry, memory > > > >> buffer of "Data" gets no chance to be freed and memory leak will be > > > >> caused. If there is such an attacker in the network, we will see UEFI > > > >> runs out of memory and system hangs. > > > >> > > > >> Network stack code is so complicated that this is just a RFC to fix > > > >> this issue. Please provide your comments about this. > > > >> > > > >> Contributed-under: TianoCore Contribution Agreement 1.1 > > > >> Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com> > > > >> Signed-off-by: Heyi Guo <heyi.guo@linaro.org> > > > >> Cc: Star Zeng <star.zeng@intel.com> > > > >> Cc: Eric Dong <eric.dong@intel.com> > > > >> Cc: Ruiyu Ni <ruiyu.ni@intel.com> > > > >> Cc: Siyuan Fu <siyuan.fu@intel.com> > > > >> Cc: Jiaxin Wu <jiaxin.wu@intel.com> > > > >> --- > > > >> MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ > > > >> 1 file changed, 3 insertions(+) > > > >> > > > >> diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > >> b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > >> index b4b0864..ed6bdbe 100644 > > > >> --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > >> +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > >> @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( > > > >> Ip4SysPacketSent, > > > >> NULL > > > >> ); > > > >> + if (EFI_ERROR (Status)) { > > > >> + NetbufFree (Data); > > > >> + } > > > >> > > > >> ON_EXIT: > > > >> NetbufFree (Packet); > > > >> -- > > > >> 2.7.4 > >
Hi Jiaxin, Bug 812 has been created: https://bugzilla.tianocore.org/show_bug.cgi?id=812 The regression test has been completed on our platform and I'll post a formal patch in minutes. Regards, Gary (Heyi Guo) On Fri, Dec 08, 2017 at 02:00:05PM +0800, Guo Heyi wrote: > Hi Jiaxin, > > We are still having our QA to finally verify the patches (including the ICMP error listener bug fix), so I will post the formal patch after regression test completes. > > Regards, > > Gary (Heyi Guo) > > > On Fri, Dec 08, 2017 at 10:04:20AM +0800, Guo Heyi wrote: > > On Fri, Dec 08, 2017 at 12:39:30AM +0000, Wu, Jiaxin wrote: > > > Hi Gary, > > > > > > Agree to generate a formal patch. You can attach the reviewed-by tag at the same time. > > > > > > Can you help to file one Bugzilla for this issue? > > > > No Problem. > > > > > > > > BTW, Do you need us commit the patch or by yourself? > > > > Yes, for I can't commit by myself :) > > > > Thanks and regards, > > > > Gary (Heyi Guo) > > > > > > > > Thanks, > > > Jiaxin > > > > > > > -----Original Message----- > > > > From: Heyi Guo [mailto:heyi.guo@linaro.org] > > > > Sent: Thursday, December 7, 2017 8:23 PM > > > > To: Wu, Jiaxin <jiaxin.wu@intel.com>; linaro-uefi@lists.linaro.org; edk2- > > > > devel@lists.01.org; Fu, Siyuan <siyuan.fu@intel.com> > > > > Cc: Junbiao Hong <hongjunbiao@huawei.com>; Zeng, Star > > > > <star.zeng@intel.com>; Dong, Eric <eric.dong@intel.com>; Ni, Ruiyu > > > > <ruiyu.ni@intel.com> > > > > Subject: Re: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > > > > > > > Hi Siyuan and Jiaxin, > > > > > > > > Thanks for your review; shall I generate a formal patch and post it > > > > again, as well as making some commit message refinement? > > > > > > > > Regards, > > > > > > > > > > > > Gary (Heyi Guo) > > > > > > > > > > > > 在 12/7/2017 3:01 PM, Wu, Jiaxin 写道: > > > > > It's is good to me. > > > > > > > > > > Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> > > > > > > > > > > Thanks, > > > > > Jiaxin > > > > > > > > > > > > > > >> -----Original Message----- > > > > >> From: Heyi Guo [mailto:heyi.guo@linaro.org] > > > > >> Sent: Thursday, December 7, 2017 10:22 AM > > > > >> To: linaro-uefi@lists.linaro.org; edk2-devel@lists.01.org > > > > >> Cc: Heyi Guo <heyi.guo@linaro.org>; Junbiao Hong > > > > >> <hongjunbiao@huawei.com>; Zeng, Star <star.zeng@intel.com>; Dong, > > > > Eric > > > > >> <eric.dong@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan > > > > >> <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com> > > > > >> Subject: [RFC] MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak > > > > >> > > > > >> When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho > > > > >> function, and then call Ip4Output. However, if Ip4Output gets some > > > > >> error and exits early, e.g. fails to find the route entry, memory > > > > >> buffer of "Data" gets no chance to be freed and memory leak will be > > > > >> caused. If there is such an attacker in the network, we will see UEFI > > > > >> runs out of memory and system hangs. > > > > >> > > > > >> Network stack code is so complicated that this is just a RFC to fix > > > > >> this issue. Please provide your comments about this. > > > > >> > > > > >> Contributed-under: TianoCore Contribution Agreement 1.1 > > > > >> Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com> > > > > >> Signed-off-by: Heyi Guo <heyi.guo@linaro.org> > > > > >> Cc: Star Zeng <star.zeng@intel.com> > > > > >> Cc: Eric Dong <eric.dong@intel.com> > > > > >> Cc: Ruiyu Ni <ruiyu.ni@intel.com> > > > > >> Cc: Siyuan Fu <siyuan.fu@intel.com> > > > > >> Cc: Jiaxin Wu <jiaxin.wu@intel.com> > > > > >> --- > > > > >> MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ > > > > >> 1 file changed, 3 insertions(+) > > > > >> > > > > >> diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > > >> b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > > >> index b4b0864..ed6bdbe 100644 > > > > >> --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > > >> +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c > > > > >> @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( > > > > >> Ip4SysPacketSent, > > > > >> NULL > > > > >> ); > > > > >> + if (EFI_ERROR (Status)) { > > > > >> + NetbufFree (Data); > > > > >> + } > > > > >> > > > > >> ON_EXIT: > > > > >> NetbufFree (Packet); > > > > >> -- > > > > >> 2.7.4 > > >
diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c index b4b0864..ed6bdbe 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( Ip4SysPacketSent, NULL ); + if (EFI_ERROR (Status)) { + NetbufFree (Data); + } ON_EXIT: NetbufFree (Packet);