Commit 1b31acb66c ("MdeModulePkg: Check received packet size before use
it.") introduced a chunk of code under the new "Resume" label, in function
UdpIoOnDgramRcvdDpc(). The new code is supposed to run only when the
received packet has zero-length payload, but a "return" statement was
forgotten, and the code is reached on the normal (nonzero-length payload)
path as well, after the packet has been processed (and possibly freed) by
RxToken->CallBack(). This is a logic bug, with the direct symptom being
use-after-free / General Protection Fault.
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: "Subramanian, Sriram (EG Servers Platform SW)" <sriram-s@hpe.com>
Fixes: 1b31acb66c
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
166a6552a8