From patchwork Sun Apr 3 10:13:38 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laszlo Ersek X-Patchwork-Id: 64933 Delivered-To: patch@linaro.org Received: by 10.112.199.169 with SMTP id jl9csp661793lbc; Sun, 3 Apr 2016 03:13:48 -0700 (PDT) X-Received: by 10.98.13.88 with SMTP id v85mr42928130pfi.150.1459678428777; Sun, 03 Apr 2016 03:13:48 -0700 (PDT) Return-Path: Received: from ml01.01.org (ml01.01.org. [198.145.21.10]) by mx.google.com with ESMTPS id e83si18338277pfb.131.2016.04.03.03.13.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 03 Apr 2016 03:13:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) client-ip=198.145.21.10; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of edk2-devel-bounces@lists.01.org designates 198.145.21.10 as permitted sender) smtp.mailfrom=edk2-devel-bounces@lists.01.org Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 052161A1F70; Sun, 3 Apr 2016 03:13:48 -0700 (PDT) X-Original-To: edk2-devel@ml01.01.org Delivered-To: edk2-devel@ml01.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 697281A1F6E for ; Sun, 3 Apr 2016 03:13:46 -0700 (PDT) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BDB7D8F2F2; Sun, 3 Apr 2016 10:13:45 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-49.phx2.redhat.com [10.3.113.49]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u33ADhGh003510; Sun, 3 Apr 2016 06:13:43 -0400 From: Laszlo Ersek To: edk2-devel-01 Date: Sun, 3 Apr 2016 12:13:38 +0200 Message-Id: <1459678418-25820-1-git-send-email-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 Subject: [edk2] [PATCH] MdeModulePkg: DxeUdpIoLib: fix non-empty payload path in UDP reception X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Ting Ye , Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" Commit 1b31acb66c02 ("MdeModulePkg: Check received packet size before use it.") introduced a chunk of code under the new "Resume" label, in function UdpIoOnDgramRcvdDpc(). The new code is supposed to run only when the received packet has zero-length payload, but a "return" statement was forgotten, and the code is reached on the normal (nonzero-length payload) path as well, after the packet has been processed (and possibly freed) by RxToken->CallBack(). This is a logic bug, with the direct symptom being use-after-free / General Protection Fault. Cc: Siyuan Fu Cc: Jiaxin Wu Cc: Ting Ye Cc: "Subramanian, Sriram (EG Servers Platform SW)" Fixes: 1b31acb66c026f2791c959a4ec9b55c04d583c22 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek --- MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c | 1 + 1 file changed, 1 insertion(+) -- 1.8.3.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel diff --git a/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c b/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c index 4f7126d3ce56..4861095435e6 100644 --- a/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c +++ b/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c @@ -303,6 +303,7 @@ UdpIoOnDgramRcvdDpc ( } RxToken->CallBack (Netbuf, &EndPoint, EFI_SUCCESS, RxToken->Context); + return; Resume: if (RxToken->UdpIo->UdpVersion == UDP_IO_UDP4_VERSION) {