diff options
| author | Jiaxin Wu <jiaxin.wu@intel.com> | 2017-11-17 11:09:01 +0800 |
|---|---|---|
| committer | Jiaxin Wu <jiaxin.wu@intel.com> | 2017-12-12 19:09:19 +0800 |
| commit | 0c6108b6524483d0e20f8d91caedb15daf75765a (patch) | |
| tree | 1c833102de035f275c9ecc7f525558ef5c7acaf5 | |
| parent | 43d7e607348ee14de334e11e9c6987278af57f14 (diff) | |
| download | edk2-0c6108b6524483d0e20f8d91caedb15daf75765a.tar.gz | |
NetworkPkg/DnsDxe: Avoid to access the freed memory buffer.
The HostNameToIp() is a asynchronous function, so the caller
may free the HostName buffer immediately once HostNameToIp()
is returned. Then DNS driver may access the freed memory buffer
later.
This patch is to fix above issue.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wang Fan <fan.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
| -rw-r--r-- | NetworkPkg/DnsDxe/DnsProtocol.c | 69 |
1 files changed, 39 insertions, 30 deletions
diff --git a/NetworkPkg/DnsDxe/DnsProtocol.c b/NetworkPkg/DnsDxe/DnsProtocol.c index df737dcbeb..1fcaabdf95 100644 --- a/NetworkPkg/DnsDxe/DnsProtocol.c +++ b/NetworkPkg/DnsDxe/DnsProtocol.c @@ -464,9 +464,15 @@ Dns4HostNameToIp ( }
TokenEntry->PacketToLive = Token->RetryInterval;
- TokenEntry->QueryHostName = HostName;
TokenEntry->Token = Token;
-
+ TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));
+ if (TokenEntry->QueryHostName == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_EXIT;
+ }
+
+ CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));
+
//
// Construct QName.
//
@@ -480,11 +486,7 @@ Dns4HostNameToIp ( // Construct DNS Query Packet.
//
Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_A, DNS_CLASS_INET, &Packet);
- if (EFI_ERROR (Status)) {
- if (TokenEntry != NULL) {
- FreePool (TokenEntry);
- }
-
+ if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
@@ -495,12 +497,6 @@ Dns4HostNameToIp ( //
Status = NetMapInsertTail (&Instance->Dns4TxTokens, TokenEntry, Packet);
if (EFI_ERROR (Status)) {
- if (TokenEntry != NULL) {
- FreePool (TokenEntry);
- }
-
- NetbufFree (Packet);
-
goto ON_EXIT;
}
@@ -510,15 +506,24 @@ Dns4HostNameToIp ( Status = DoDnsQuery (Instance, Packet);
if (EFI_ERROR (Status)) {
Dns4RemoveTokenEntry (&Instance->Dns4TxTokens, TokenEntry);
+ }
+
+ON_EXIT:
+ if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
+ if (TokenEntry->QueryHostName != NULL) {
+ FreePool (TokenEntry->QueryHostName);
+ }
+
FreePool (TokenEntry);
}
- NetbufFree (Packet);
+ if (Packet != NULL) {
+ NetbufFree (Packet);
+ }
}
-ON_EXIT:
if (QueryName != NULL) {
FreePool (QueryName);
}
@@ -1301,9 +1306,14 @@ Dns6HostNameToIp ( }
TokenEntry->PacketToLive = Token->RetryInterval;
- TokenEntry->QueryHostName = HostName;
TokenEntry->Token = Token;
-
+ TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));
+ if (TokenEntry->QueryHostName == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ goto ON_EXIT;
+ }
+
+ CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));
//
// Construct QName.
@@ -1319,10 +1329,6 @@ Dns6HostNameToIp ( //
Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_AAAA, DNS_CLASS_INET, &Packet);
if (EFI_ERROR (Status)) {
- if (TokenEntry != NULL) {
- FreePool (TokenEntry);
- }
-
goto ON_EXIT;
}
@@ -1333,12 +1339,6 @@ Dns6HostNameToIp ( //
Status = NetMapInsertTail (&Instance->Dns6TxTokens, TokenEntry, Packet);
if (EFI_ERROR (Status)) {
- if (TokenEntry != NULL) {
- FreePool (TokenEntry);
- }
-
- NetbufFree (Packet);
-
goto ON_EXIT;
}
@@ -1348,15 +1348,24 @@ Dns6HostNameToIp ( Status = DoDnsQuery (Instance, Packet);
if (EFI_ERROR (Status)) {
Dns6RemoveTokenEntry (&Instance->Dns6TxTokens, TokenEntry);
-
+ }
+
+ON_EXIT:
+
+ if (EFI_ERROR (Status)) {
if (TokenEntry != NULL) {
+ if (TokenEntry->QueryHostName != NULL) {
+ FreePool (TokenEntry->QueryHostName);
+ }
+
FreePool (TokenEntry);
}
- NetbufFree (Packet);
+ if (Packet != NULL) {
+ NetbufFree (Packet);
+ }
}
-ON_EXIT:
if (QueryName != NULL) {
FreePool (QueryName);
}
|