tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ShellPkg: Fix 'ping' command Ip4 receive flow. 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2032

'ping' command's receive flow utilizes a single Rx token which it
attempts to reuse before recycling the previously received packet.
This causes a situation where under ICMP traffic,
Ping6OnEchoReplyReceived() function will receive an already
recycled packet with EFI_SUCCESS token status and finally
dereference invalid pointers from RxData structure.

Cc: Ray Ni <ray.ni@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Signed-off-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Acked-by: Zhichao Gao <zhichao.gao@intel.com>
This commit is contained in:
Maciej Rabeda 2020-02-27 11:30:43 +01:00 committed by mergify[bot]
parent dd7523b5b1
commit 65c73df44c
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
View File

@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived (
ON_EXIT: ON_EXIT:
//
// Recycle the packet before reusing RxToken
//
gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal);
if (Private->RxCount < Private->SendNum) { if (Private->RxCount < Private->SendNum) {
// //
// Continue to receive icmp echo reply packets. // Continue to receive icmp echo reply packets.
@ -632,10 +637,6 @@ ON_EXIT:
// //
Private->Status = EFI_SUCCESS; Private->Status = EFI_SUCCESS;
} }
//
// Singal to recycle the each rxdata here, not at the end of process.
//
gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal);
} }
/** /**