summaryrefslogtreecommitdiffstats
path: root/IntelFrameworkModulePkg
diff options
context:
space:
mode:
authorLaszlo Ersek <lersek@redhat.com>2016-04-03 11:48:43 +0200
committerLaszlo Ersek <lersek@redhat.com>2016-04-04 13:53:12 +0200
commit166a6552a829ab680862331449f11970c085f26d (patch)
tree6eb62c2226bdbf19511d0c073ca5249cf3d80156 /IntelFrameworkModulePkg
parent00f18da1ca79beccdf71e30689e19e8b2e3a02fd (diff)
downloadedk2-166a6552a829ab680862331449f11970c085f26d.tar.gz
edk2-166a6552a829ab680862331449f11970c085f26d.tar.bz2
edk2-166a6552a829ab680862331449f11970c085f26d.zip
MdeModulePkg: DxeUdpIoLib: fix non-empty payload path in UDP reception
Commit 1b31acb66c02 ("MdeModulePkg: Check received packet size before use it.") introduced a chunk of code under the new "Resume" label, in function UdpIoOnDgramRcvdDpc(). The new code is supposed to run only when the received packet has zero-length payload, but a "return" statement was forgotten, and the code is reached on the normal (nonzero-length payload) path as well, after the packet has been processed (and possibly freed) by RxToken->CallBack(). This is a logic bug, with the direct symptom being use-after-free / General Protection Fault. Cc: Siyuan Fu <siyuan.fu@intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: "Subramanian, Sriram (EG Servers Platform SW)" <sriram-s@hpe.com> Fixes: 1b31acb66c026f2791c959a4ec9b55c04d583c22 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
Diffstat (limited to 'IntelFrameworkModulePkg')
0 files changed, 0 insertions, 0 deletions