ShellPkg: Fix 'ping' command Ip4 receive flow.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2032

'ping' command's receive flow utilizes a single Rx token which it
attempts to reuse before recycling the previously received packet.
This causes a situation where under ICMP traffic,
Ping6OnEchoReplyReceived() function will receive an already
recycled packet with EFI_SUCCESS token status and finally
dereference invalid pointers from RxData structure.

Cc: Ray Ni <ray.ni@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Signed-off-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Acked-by: Zhichao Gao <zhichao.gao@intel.com>

diff --git a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
index 23567fa2c1bb27229a572ffa01cffda63eaa8800..a3fa325151929c3b82bea60d85a669c2e585ad48 100644 (file)
--- a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
+++ b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
@@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived (
 \r
 ON_EXIT:\r
 \r
+  //\r
+  // Recycle the packet before reusing RxToken\r
+  //\r
+  gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal);\r
+\r
   if (Private->RxCount < Private->SendNum) {\r
     //\r
     // Continue to receive icmp echo reply packets.\r
@@ -632,10 +637,6 @@ ON_EXIT:
     //\r
     Private->Status = EFI_SUCCESS;\r
   }\r
-  //\r
-  // Singal to recycle the each rxdata here, not at the end of process.\r
-  //\r
-  gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal);\r
 }\r
 \r
 /**\r