tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NetworkPkg/DnsDxe: Avoid to access the freed memory buffer. 

The HostNameToIp() is a asynchronous function, so the caller
may free the HostName buffer immediately once HostNameToIp()
is returned. Then DNS driver may access the freed memory buffer
later.

This patch is to fix above issue.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wang Fan <fan.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
This commit is contained in:
Jiaxin Wu 2017-11-17 11:09:01 +08:00
parent 43d7e60734
commit 0c6108b652
1 changed files with 46 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
NetworkPkg/DnsDxe/DnsProtocol.c
View File

@ -464,9 +464,15 @@ Dns4HostNameToIp (
}
TokenEntry->PacketToLive = Token->RetryInterval;
TokenEntry->QueryHostName = HostName;
TokenEntry->Token = Token;
TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));
if (TokenEntry->QueryHostName == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));
//
// Construct QName.
//
@ -480,11 +486,7 @@ Dns4HostNameToIp (
// Construct DNS Query Packet.
//
Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_A, DNS_CLASS_INET, &Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
@ -495,12 +497,6 @@ Dns4HostNameToIp (
//
Status = NetMapInsertTail (&Instance->Dns4TxTokens, TokenEntry, Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
goto ON_EXIT;
}
@ -510,15 +506,24 @@ Dns4HostNameToIp (
Status = DoDnsQuery (Instance, Packet);
if (EFI_ERROR (Status)) {
Dns4RemoveTokenEntry (&Instance->Dns4TxTokens, TokenEntry);
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
}
ON_EXIT:
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
if (TokenEntry->QueryHostName != NULL) {
FreePool (TokenEntry->QueryHostName);
}
FreePool (TokenEntry);
}
if (Packet != NULL) {
NetbufFree (Packet);
}
}
if (QueryName != NULL) {
FreePool (QueryName);
}
@ -1301,9 +1306,14 @@ Dns6HostNameToIp (
}
TokenEntry->PacketToLive = Token->RetryInterval;
TokenEntry->QueryHostName = HostName;
TokenEntry->Token = Token;
TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));
if (TokenEntry->QueryHostName == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));
//
// Construct QName.
@ -1319,10 +1329,6 @@ Dns6HostNameToIp (
//
Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_AAAA, DNS_CLASS_INET, &Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
goto ON_EXIT;
}
@ -1333,12 +1339,6 @@ Dns6HostNameToIp (
//
Status = NetMapInsertTail (&Instance->Dns6TxTokens, TokenEntry, Packet);
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
goto ON_EXIT;
}
@ -1348,15 +1348,24 @@ Dns6HostNameToIp (
Status = DoDnsQuery (Instance, Packet);
if (EFI_ERROR (Status)) {
Dns6RemoveTokenEntry (&Instance->Dns6TxTokens, TokenEntry);
if (TokenEntry != NULL) {
FreePool (TokenEntry);
}
NetbufFree (Packet);
}
ON_EXIT:
if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
if (TokenEntry->QueryHostName != NULL) {
FreePool (TokenEntry->QueryHostName);
}
FreePool (TokenEntry);
}
if (Packet != NULL) {
NetbufFree (Packet);
}
}
if (QueryName != NULL) {
FreePool (QueryName);
}