From 0c6108b6524483d0e20f8d91caedb15daf75765a Mon Sep 17 00:00:00 2001 From: Jiaxin Wu Date: Fri, 17 Nov 2017 11:09:01 +0800 Subject: NetworkPkg/DnsDxe: Avoid to access the freed memory buffer. The HostNameToIp() is a asynchronous function, so the caller may free the HostName buffer immediately once HostNameToIp() is returned. Then DNS driver may access the freed memory buffer later. This patch is to fix above issue. Cc: Ye Ting Cc: Fu Siyuan Cc: Wang Fan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin Reviewed-by: Fu Siyuan --- NetworkPkg/DnsDxe/DnsProtocol.c | 69 +++++++++++++++++++++++------------------ 1 file changed, 39 insertions(+), 30 deletions(-) (limited to 'NetworkPkg/DnsDxe') diff --git a/NetworkPkg/DnsDxe/DnsProtocol.c b/NetworkPkg/DnsDxe/DnsProtocol.c index df737dcbeb..1fcaabdf95 100644 --- a/NetworkPkg/DnsDxe/DnsProtocol.c +++ b/NetworkPkg/DnsDxe/DnsProtocol.c @@ -464,9 +464,15 @@ Dns4HostNameToIp ( } TokenEntry->PacketToLive = Token->RetryInterval; - TokenEntry->QueryHostName = HostName; TokenEntry->Token = Token; - + TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName)); + if (TokenEntry->QueryHostName == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName)); + // // Construct QName. // @@ -480,11 +486,7 @@ Dns4HostNameToIp ( // Construct DNS Query Packet. // Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_A, DNS_CLASS_INET, &Packet); - if (EFI_ERROR (Status)) { - if (TokenEntry != NULL) { - FreePool (TokenEntry); - } - + if (EFI_ERROR (Status)) { goto ON_EXIT; } @@ -495,12 +497,6 @@ Dns4HostNameToIp ( // Status = NetMapInsertTail (&Instance->Dns4TxTokens, TokenEntry, Packet); if (EFI_ERROR (Status)) { - if (TokenEntry != NULL) { - FreePool (TokenEntry); - } - - NetbufFree (Packet); - goto ON_EXIT; } @@ -510,15 +506,24 @@ Dns4HostNameToIp ( Status = DoDnsQuery (Instance, Packet); if (EFI_ERROR (Status)) { Dns4RemoveTokenEntry (&Instance->Dns4TxTokens, TokenEntry); + } + +ON_EXIT: + if (EFI_ERROR (Status)) { if (TokenEntry != NULL) { + if (TokenEntry->QueryHostName != NULL) { + FreePool (TokenEntry->QueryHostName); + } + FreePool (TokenEntry); } - NetbufFree (Packet); + if (Packet != NULL) { + NetbufFree (Packet); + } } -ON_EXIT: if (QueryName != NULL) { FreePool (QueryName); } @@ -1301,9 +1306,14 @@ Dns6HostNameToIp ( } TokenEntry->PacketToLive = Token->RetryInterval; - TokenEntry->QueryHostName = HostName; TokenEntry->Token = Token; - + TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName)); + if (TokenEntry->QueryHostName == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName)); // // Construct QName. @@ -1319,10 +1329,6 @@ Dns6HostNameToIp ( // Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_AAAA, DNS_CLASS_INET, &Packet); if (EFI_ERROR (Status)) { - if (TokenEntry != NULL) { - FreePool (TokenEntry); - } - goto ON_EXIT; } @@ -1333,12 +1339,6 @@ Dns6HostNameToIp ( // Status = NetMapInsertTail (&Instance->Dns6TxTokens, TokenEntry, Packet); if (EFI_ERROR (Status)) { - if (TokenEntry != NULL) { - FreePool (TokenEntry); - } - - NetbufFree (Packet); - goto ON_EXIT; } @@ -1348,15 +1348,24 @@ Dns6HostNameToIp ( Status = DoDnsQuery (Instance, Packet); if (EFI_ERROR (Status)) { Dns6RemoveTokenEntry (&Instance->Dns6TxTokens, TokenEntry); - + } + +ON_EXIT: + + if (EFI_ERROR (Status)) { if (TokenEntry != NULL) { + if (TokenEntry->QueryHostName != NULL) { + FreePool (TokenEntry->QueryHostName); + } + FreePool (TokenEntry); } - NetbufFree (Packet); + if (Packet != NULL) { + NetbufFree (Packet); + } } -ON_EXIT: if (QueryName != NULL) { FreePool (QueryName); } -- cgit v1.2.3