NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)
authorSiyuan Fu <siyuan.fu@intel.com>
Fri, 21 Feb 2020 02:14:18 +0000 (10:14 +0800)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Fri, 21 Feb 2020 03:01:57 +0000 (03:01 +0000)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031

This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
NetworkPkg/ArpDxe/ArpImpl.c

index 9cdb33f..ed2d756 100644 (file)
@@ -1,7 +1,7 @@
 /** @file\r
   The implementation of the ARP protocol.\r
 \r
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>\r
 SPDX-License-Identifier: BSD-2-Clause-Patent\r
 \r
 **/\r
@@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc (
     //\r
     // Restart the receiving if packet size is not correct.\r
     //\r
-    goto RESTART_RECEIVE;\r
+    goto RECYCLE_RXDATA;\r
   }\r
 \r
   //\r
@@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc (
   Head->OpCode    = NTOHS (Head->OpCode);\r
 \r
   if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {\r
-    goto RESTART_RECEIVE;\r
+    goto RECYCLE_RXDATA;\r
   }\r
 \r
   if ((Head->HwType != ArpService->SnpMode.IfType) ||\r