From: Siyuan Fu <siyuan.fu@intel.com>
Date: Fri, 21 Feb 2020 02:14:18 +0000 (+0800)
Subject: NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)
X-Git-Tag: edk2-stable202002~3
X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8

NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031

This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
---

diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c
index 9cdb33f2bd..ed2d756d3e 100644
--- a/NetworkPkg/ArpDxe/ArpImpl.c
+++ b/NetworkPkg/ArpDxe/ArpImpl.c
@@ -1,7 +1,7 @@
 /** @file
   The implementation of the ARP protocol.
 
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc (
     //
     // Restart the receiving if packet size is not correct.
     //
-    goto RESTART_RECEIVE;
+    goto RECYCLE_RXDATA;
   }
 
   //
@@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc (
   Head->OpCode    = NTOHS (Head->OpCode);
 
   if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {
-    goto RESTART_RECEIVE;
+    goto RECYCLE_RXDATA;
   }
 
   if ((Head->HwType != ArpService->SnpMode.IfType) ||