summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFu, Siyuan <siyuan.fu@intel.com>2014-07-10 07:46:34 +0000
committersfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>2014-07-10 07:46:34 +0000
commitd2ea3b8399243ff46d9c713d4a328aa81a773a3c (patch)
tree350945be118146c1ba0ab77c71f5898abcb0a0a7
parentcf1eb6e6f85952b0fad82b937054f611cf148d57 (diff)
downloadedk2-d2ea3b8399243ff46d9c713d4a328aa81a773a3c.zip
edk2-d2ea3b8399243ff46d9c713d4a328aa81a773a3c.tar.gz
edk2-d2ea3b8399243ff46d9c713d4a328aa81a773a3c.tar.bz2
Fix a memory use after free bug in DHCP6 driver.
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Fu, Siyuan <siyuan.fu@intel.com> Reviewed-By: Ye, Ting <ting.ye@intel.com> Reviewed-by: Wu, Jiaxin <jiaxin.wu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15651 6f19259b-4bc3-4df7-8a09-765794883524
-rw-r--r--NetworkPkg/Dhcp6Dxe/Dhcp6Io.c31
1 files changed, 29 insertions, 2 deletions
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index 1da31dc..e0a2b4b 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -1,7 +1,7 @@
/** @file
Dhcp6 internal functions implementation.
- Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -363,6 +363,32 @@ Dhcp6CleanupRetry (
}
}
+/**
+ Check whether the TxCb is still a valid control block in the instance's retry list.
+
+ @param[in] Instance The pointer to DHCP6_INSTANCE.
+ @param[in] TxCb The control block for a transmitted message.
+
+ @retval TRUE The control block is in Instance's retry list.
+ @retval FALSE The control block is NOT in Instance's retry list.
+
+**/
+BOOLEAN
+Dhcp6IsValidTxCb (
+ IN DHCP6_INSTANCE *Instance,
+ IN DHCP6_TX_CB *TxCb
+ )
+{
+ LIST_ENTRY *Entry;
+
+ NET_LIST_FOR_EACH (Entry, &Instance->TxList) {
+ if (TxCb == NET_LIST_USER_STRUCT (Entry, DHCP6_TX_CB, Link)) {
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+}
/**
Clean up the session of the instance stateful exchange.
@@ -3097,7 +3123,8 @@ Dhcp6OnTimerTick (
ON_CLOSE:
- if (TxCb->TxPacket != NULL &&
+ if (Dhcp6IsValidTxCb (Instance, TxCb) &&
+ TxCb->TxPacket != NULL &&
(TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgInfoRequest ||
TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgRenew ||
TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgConfirm)