Fix a memory use after free bug in DHCP6 driver.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu, Siyuan <siyuan.fu@intel.com>
Reviewed-By: Ye, Ting <ting.ye@intel.com>
Reviewed-by: Wu, Jiaxin <jiaxin.wu@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15651 6f19259b-4bc3-4df7-8a09-765794883524

NetworkPkg/Dhcp6Dxe/Dhcp6Io.c

@@ -1,7 +1,7 @@
 /** @file
   Dhcp6 internal functions implementation.
 
-  Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -363,6 +363,32 @@ Dhcp6CleanupRetry (
   }
 }
 
+/**
+  Check whether the TxCb is still a valid control block in the instance's retry list.
+
+  @param[in]  Instance       The pointer to DHCP6_INSTANCE.
+  @param[in]  TxCb           The control block for a transmitted message.
+
+  @retval   TRUE      The control block is in Instance's retry list.
+  @retval   FALSE     The control block is NOT in Instance's retry list.
+  
+**/
+BOOLEAN
+Dhcp6IsValidTxCb (
+  IN  DHCP6_INSTANCE          *Instance,
+  IN  DHCP6_TX_CB             *TxCb
+  )
+{
+  LIST_ENTRY                *Entry;
+
+  NET_LIST_FOR_EACH (Entry, &Instance->TxList) {
+    if (TxCb == NET_LIST_USER_STRUCT (Entry, DHCP6_TX_CB, Link)) {
+      return TRUE;
+    }
+  }
+
+  return FALSE;
+}
 
 /**
   Clean up the session of the instance stateful exchange.
@@ -3097,7 +3123,8 @@ Dhcp6OnTimerTick (
 
  ON_CLOSE:
 
-  if (TxCb->TxPacket != NULL &&
+  if (Dhcp6IsValidTxCb (Instance, TxCb) &&
+      TxCb->TxPacket != NULL &&
       (TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgInfoRequest ||
       TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgRenew       ||
       TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgConfirm)