From 764c9d95513fe4bf88719262ccf72bd9986a82fd Mon Sep 17 00:00:00 2001
From: Heyi Guo <heyi.guo@linaro.org>
Date: Mon, 11 Dec 2017 19:11:48 +0800
Subject: MdeModulePkg/Ip4Dxe: fix ICMP echo reply memory leak

When UEFI receives ICMP echo packets it will enter Ip4IcmpReplyEcho
function, and then call Ip4Output. However, if Ip4Output gets some
error and exits early, e.g. fails to find the route entry, memory
buffer of "Data" gets no chance to be freed and memory leak will be
caused. If there is such an attacker in the network, we will see UEFI
runs out of memory and system hangs.

So we explicitly free the memory when error status is returned.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Junbiao Hong <hongjunbiao@huawei.com>
Signed-off-by: Heyi Guo <heyi.guo@linaro.org>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
---
 MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'MdeModulePkg')

diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c
index b4b0864..ed6bdbe 100644
--- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c
+++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Icmp.c
@@ -267,6 +267,9 @@ Ip4IcmpReplyEcho (
              Ip4SysPacketSent,
              NULL
              );
+  if (EFI_ERROR (Status)) {
+    NetbufFree (Data);
+  }
 
 ON_EXIT:
   NetbufFree (Packet);
-- 
cgit v1.1