When UEFI receives IPMP echo packets it will enter Ip4IcmpReplyEcho function, and then call Ip4Output. However, if Ip4Output gets some error and exits early, e.g. fails to find the route entry, memory buffer of "Data" gets no chance to be freed and memory leak will be caused. If there is such an attacker in the network, we will see UEFI runs out of memory and system hangs.
Network stack code is so complicated that this is just a RFC to fix this issue. Please provide your comments about this.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Junbiao Hong hongjunbiao@huawei.com Signed-off-by: Heyi Guo heyi.guo@linaro.org Cc: Star Zeng star.zeng@intel.com Cc: Eric Dong eric.dong@intel.com Cc: Ruiyu Ni ruiyu.ni@intel.com Cc: Siyuan Fu siyuan.fu@intel.com Cc: Jiaxin Wu jiaxin.wu@intel.com --- MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c index b4b0864..ed6bdbe 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c @@ -267,6 +267,9 @@ Ip4IcmpReplyEcho ( Ip4SysPacketSent, NULL ); + if (EFI_ERROR (Status)) { + NetbufFree (Data); + }
ON_EXIT: NetbufFree (Packet);