NetworkPkg/DnsDxe: Avoid to access the freed memory buffer.

The HostNameToIp() is a asynchronous function, so the caller
may free the HostName buffer immediately once HostNameToIp()
is returned. Then DNS driver may access the freed memory buffer
later.

This patch is to fix above issue.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wang Fan <fan.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>

diff --git a/NetworkPkg/DnsDxe/DnsProtocol.c b/NetworkPkg/DnsDxe/DnsProtocol.c
index df737dcbeb418e4c3576035a5f8dff6e1c169c0c..1fcaabdf95e570cab7b46ac56d1fdc950c3281fe 100644 (file)
--- a/NetworkPkg/DnsDxe/DnsProtocol.c
+++ b/NetworkPkg/DnsDxe/DnsProtocol.c
@@ -464,9 +464,15 @@ Dns4HostNameToIp (
   }\r
   \r
   TokenEntry->PacketToLive = Token->RetryInterval;\r
-  TokenEntry->QueryHostName = HostName;\r
   TokenEntry->Token = Token;\r
-\r
+  TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));\r
+  if (TokenEntry->QueryHostName == NULL) {\r
+    Status = EFI_OUT_OF_RESOURCES;\r
+    goto ON_EXIT;\r
+  }\r
+  \r
+  CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));\r
+  \r
   //\r
   // Construct QName.\r
   //\r
@@ -480,11 +486,7 @@ Dns4HostNameToIp (
   // Construct DNS Query Packet.\r
   //\r
   Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_A, DNS_CLASS_INET, &Packet);\r
-  if (EFI_ERROR (Status)) {\r
-    if (TokenEntry != NULL) {\r
-      FreePool (TokenEntry);\r
-    }\r
-    \r
+  if (EFI_ERROR (Status)) { \r
     goto ON_EXIT;\r
   }\r
 \r
@@ -495,12 +497,6 @@ Dns4HostNameToIp (
   //\r
   Status = NetMapInsertTail (&Instance->Dns4TxTokens, TokenEntry, Packet);\r
   if (EFI_ERROR (Status)) {\r
-    if (TokenEntry != NULL) {\r
-      FreePool (TokenEntry);\r
-    }\r
-    \r
-    NetbufFree (Packet);\r
-    \r
     goto ON_EXIT;\r
   }\r
   \r
@@ -510,15 +506,24 @@ Dns4HostNameToIp (
   Status = DoDnsQuery (Instance, Packet);\r
   if (EFI_ERROR (Status)) {\r
     Dns4RemoveTokenEntry (&Instance->Dns4TxTokens, TokenEntry);\r
+  }\r
+  \r
+ON_EXIT:\r
 \r
+  if (EFI_ERROR (Status)) {\r
     if (TokenEntry != NULL) {\r
+      if (TokenEntry->QueryHostName != NULL) {\r
+        FreePool (TokenEntry->QueryHostName);\r
+      }\r
+      \r
       FreePool (TokenEntry);\r
     }\r
     \r
-    NetbufFree (Packet);\r
+    if (Packet != NULL) {\r
+      NetbufFree (Packet);\r
+    }\r
   }\r
   \r
-ON_EXIT:\r
   if (QueryName != NULL) {\r
     FreePool (QueryName);\r
   }\r
@@ -1301,9 +1306,14 @@ Dns6HostNameToIp (
   }\r
   \r
   TokenEntry->PacketToLive = Token->RetryInterval;\r
-  TokenEntry->QueryHostName = HostName;\r
   TokenEntry->Token = Token;\r
-\r
+  TokenEntry->QueryHostName = AllocateZeroPool (StrSize (HostName));\r
+  if (TokenEntry->QueryHostName == NULL) {\r
+    Status = EFI_OUT_OF_RESOURCES;\r
+    goto ON_EXIT;\r
+  }\r
+  \r
+  CopyMem (TokenEntry->QueryHostName, HostName, StrSize (HostName));\r
 \r
   //\r
   // Construct QName.\r
@@ -1319,10 +1329,6 @@ Dns6HostNameToIp (
   //\r
   Status = ConstructDNSQuery (Instance, QueryName, DNS_TYPE_AAAA, DNS_CLASS_INET, &Packet);\r
   if (EFI_ERROR (Status)) {\r
-    if (TokenEntry != NULL) {\r
-      FreePool (TokenEntry);\r
-    }\r
-    \r
     goto ON_EXIT;\r
   }\r
 \r
@@ -1333,12 +1339,6 @@ Dns6HostNameToIp (
   //\r
   Status = NetMapInsertTail (&Instance->Dns6TxTokens, TokenEntry, Packet);\r
   if (EFI_ERROR (Status)) {\r
-    if (TokenEntry != NULL) {\r
-      FreePool (TokenEntry);\r
-    }\r
-    \r
-    NetbufFree (Packet);\r
-    \r
     goto ON_EXIT;\r
   }\r
   \r
@@ -1348,15 +1348,24 @@ Dns6HostNameToIp (
   Status = DoDnsQuery (Instance, Packet);\r
   if (EFI_ERROR (Status)) {\r
     Dns6RemoveTokenEntry (&Instance->Dns6TxTokens, TokenEntry);\r
-    \r
+  }\r
+  \r
+ON_EXIT:\r
+\r
+  if (EFI_ERROR (Status)) {\r
     if (TokenEntry != NULL) {\r
+      if (TokenEntry->QueryHostName != NULL) {\r
+        FreePool (TokenEntry->QueryHostName);\r
+      }\r
+      \r
       FreePool (TokenEntry);\r
     }\r
     \r
-    NetbufFree (Packet);\r
+    if (Packet != NULL) {\r
+      NetbufFree (Packet);\r
+    }\r
   }\r
   \r
-ON_EXIT:\r
   if (QueryName != NULL) {\r
     FreePool (QueryName);\r
   }\r