Fix a memory use after free bug in DHCP6 driver.

[mirror_edk2.git] / NetworkPkg / Dhcp6Dxe / Dhcp6Io.c

diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index 1da31dcc5411a8562bf2b65418562b518e5415c8..e0a2b4b15f298625993852c6d4e758e3691d80df 100644 (file)
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -1,7 +1,7 @@
 /** @file\r
   Dhcp6 internal functions implementation.\r
 \r
-  Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>\r
 \r
   This program and the accompanying materials\r
   are licensed and made available under the terms and conditions of the BSD License\r
@@ -363,6 +363,32 @@ Dhcp6CleanupRetry (
   }\r
 }\r
 \r
+/**\r
+  Check whether the TxCb is still a valid control block in the instance's retry list.\r
+\r
+  @param[in]  Instance       The pointer to DHCP6_INSTANCE.\r
+  @param[in]  TxCb           The control block for a transmitted message.\r
+\r
+  @retval   TRUE      The control block is in Instance's retry list.\r
+  @retval   FALSE     The control block is NOT in Instance's retry list.\r
+  \r
+**/\r
+BOOLEAN\r
+Dhcp6IsValidTxCb (\r
+  IN  DHCP6_INSTANCE          *Instance,\r
+  IN  DHCP6_TX_CB             *TxCb\r
+  )\r
+{\r
+  LIST_ENTRY                *Entry;\r
+\r
+  NET_LIST_FOR_EACH (Entry, &Instance->TxList) {\r
+    if (TxCb == NET_LIST_USER_STRUCT (Entry, DHCP6_TX_CB, Link)) {\r
+      return TRUE;\r
+    }\r
+  }\r
+\r
+  return FALSE;\r
+}\r
 \r
 /**\r
   Clean up the session of the instance stateful exchange.\r
@@ -3097,7 +3123,8 @@ Dhcp6OnTimerTick (
 \r
  ON_CLOSE:\r
 \r
-  if (TxCb->TxPacket != NULL &&\r
+  if (Dhcp6IsValidTxCb (Instance, TxCb) &&\r
+      TxCb->TxPacket != NULL &&\r
       (TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgInfoRequest ||\r
       TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgRenew       ||\r
       TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgConfirm)\r