sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

NetworkPkg/DnsDxe: Avoid to access the freed memory buffer.

Browse Source 
The HostNameToIp() is a asynchronous function, so the caller
may free the HostName buffer immediately once HostNameToIp()
is returned. Then DNS driver may access the freed memory buffer
later.

This patch is to fix above issue.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wang Fan <fan.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
This commit is contained in:
Jiaxin Wu
2017-11-17 11:09:01 +08:00
parent 43d7e60734
commit 0c6108b652
1 changed files with 46 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
NetworkPkg/DnsDxe/DnsProtocol.c
View File

@@ -464,9 +464,15 @@ Dns4HostNameToIp (
}
TokenEntry->PacketToLive = Token->RetryInterval;
TokenEntry->QueryHostName = HostName;
TokenEntry->Token = Token;
TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));
if (TokenEntry->QueryHostName == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));
//
// Construct QName.
//
@@ -480,11 +486,7 @@ Dns4HostNameToIp (
// Construct DNS Query Packet.
//
Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_A, DNS_CLASS_INET, &Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
@@ -495,12 +497,6 @@ Dns4HostNameToIp (
//
Status = NetMapInsertTail (&Instance->Dns4TxTokens, TokenEntry, Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
goto ON_EXIT;
}
@@ -510,15 +506,24 @@ Dns4HostNameToIp (
Status = DoDnsQuery (Instance, Packet);
if (EFI_ERROR (Status)) {
Dns4RemoveTokenEntry (&Instance->Dns4TxTokens, TokenEntry);
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
}
ON_EXIT:
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
if (TokenEntry->QueryHostName != NULL) {
FreePool (TokenEntry->QueryHostName);
}
FreePool (TokenEntry);
}
if (Packet != NULL) {
NetbufFree (Packet);
}
}
if (QueryName != NULL) {
FreePool (QueryName);
}
@@ -1301,9 +1306,14 @@ Dns6HostNameToIp (
}
TokenEntry->PacketToLive = Token->RetryInterval;
TokenEntry->QueryHostName = HostName;
TokenEntry->Token = Token;
TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));
if (TokenEntry->QueryHostName == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));
//
// Construct QName.
@@ -1319,10 +1329,6 @@ Dns6HostNameToIp (
//
Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_AAAA, DNS_CLASS_INET, &Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
goto ON_EXIT;
}
@@ -1333,12 +1339,6 @@ Dns6HostNameToIp (
//
Status = NetMapInsertTail (&Instance->Dns6TxTokens, TokenEntry, Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
goto ON_EXIT;
}
@@ -1348,15 +1348,24 @@ Dns6HostNameToIp (
Status = DoDnsQuery (Instance, Packet);
if (EFI_ERROR (Status)) {
Dns6RemoveTokenEntry (&Instance->Dns6TxTokens, TokenEntry);
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
}
ON_EXIT:
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
if (TokenEntry->QueryHostName != NULL) {
FreePool (TokenEntry->QueryHostName);
}
FreePool (TokenEntry);
}
if (Packet != NULL) {
NetbufFree (Packet);
}
}
if (QueryName != NULL) {
FreePool (QueryName);
}