From d2ea3b8399243ff46d9c713d4a328aa81a773a3c Mon Sep 17 00:00:00 2001 From: "Fu, Siyuan" Date: Thu, 10 Jul 2014 07:46:34 +0000 Subject: Fix a memory use after free bug in DHCP6 driver. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Fu, Siyuan Reviewed-By: Ye, Ting Reviewed-by: Wu, Jiaxin git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15651 6f19259b-4bc3-4df7-8a09-765794883524 --- NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) (limited to 'NetworkPkg') diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index 1da31dcc54..e0a2b4b15f 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -1,7 +1,7 @@ /** @file Dhcp6 internal functions implementation. - Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -363,6 +363,32 @@ Dhcp6CleanupRetry ( } } +/** + Check whether the TxCb is still a valid control block in the instance's retry list. + + @param[in] Instance The pointer to DHCP6_INSTANCE. + @param[in] TxCb The control block for a transmitted message. + + @retval TRUE The control block is in Instance's retry list. + @retval FALSE The control block is NOT in Instance's retry list. + +**/ +BOOLEAN +Dhcp6IsValidTxCb ( + IN DHCP6_INSTANCE *Instance, + IN DHCP6_TX_CB *TxCb + ) +{ + LIST_ENTRY *Entry; + + NET_LIST_FOR_EACH (Entry, &Instance->TxList) { + if (TxCb == NET_LIST_USER_STRUCT (Entry, DHCP6_TX_CB, Link)) { + return TRUE; + } + } + + return FALSE; +} /** Clean up the session of the instance stateful exchange. @@ -3097,7 +3123,8 @@ Dhcp6OnTimerTick ( ON_CLOSE: - if (TxCb->TxPacket != NULL && + if (Dhcp6IsValidTxCb (Instance, TxCb) && + TxCb->TxPacket != NULL && (TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgInfoRequest || TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgRenew || TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgConfirm) -- cgit v1.2.3