When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho function, and then call Ip4Output. However, if Ip4Output gets some error and exits early, e.g. fails to find the route entry, memory buffer of "Data" gets no chance to be freed and memory leak will be caused. If there is such an attacker in the network, we will see UEFI runs out of memory and system hangs.
So we explicitly free the memory when error status is returned. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Junbiao Hong <[email protected]> Signed-off-by: Heyi Guo <[email protected]> Reviewed-by: Siyuan Fu <[email protected]> Reviewed-by: Jiaxin Wu <[email protected]> Cc: Star Zeng <[email protected]> Cc: Eric Dong <[email protected]> Cc: Ruiyu Ni <[email protected]> Cc: Siyuan Fu <[email protected]> Cc: Jiaxin Wu <[email protected]> --- MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c index b4b0864..ed6bdbe 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( Ip4SysPacketSent, NULL ); + if (EFI_ERROR (Status)) { + NetbufFree (Data); + } ON_EXIT: NetbufFree (Packet); -- 2.7.4 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
