Fix a memory use after free bug in DHCP6 driver.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu, Siyuan <siyuan.fu@intel.com>
Reviewed-By: Ye, Ting <ting.ye@intel.com>
Reviewed-by: Wu, Jiaxin <jiaxin.wu@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15651 6f19259b-4bc3-4df7-8a09-765794883524
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index 1da31dc..e0a2b4b 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -1,7 +1,7 @@
/** @file
Dhcp6 internal functions implementation.
- Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -363,6 +363,32 @@
}
}
+/**
+ Check whether the TxCb is still a valid control block in the instance's retry list.
+
+ @param[in] Instance The pointer to DHCP6_INSTANCE.
+ @param[in] TxCb The control block for a transmitted message.
+
+ @retval TRUE The control block is in Instance's retry list.
+ @retval FALSE The control block is NOT in Instance's retry list.
+
+**/
+BOOLEAN
+Dhcp6IsValidTxCb (
+ IN DHCP6_INSTANCE *Instance,
+ IN DHCP6_TX_CB *TxCb
+ )
+{
+ LIST_ENTRY *Entry;
+
+ NET_LIST_FOR_EACH (Entry, &Instance->TxList) {
+ if (TxCb == NET_LIST_USER_STRUCT (Entry, DHCP6_TX_CB, Link)) {
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+}
/**
Clean up the session of the instance stateful exchange.
@@ -3097,7 +3123,8 @@
ON_CLOSE:
- if (TxCb->TxPacket != NULL &&
+ if (Dhcp6IsValidTxCb (Instance, TxCb) &&
+ TxCb->TxPacket != NULL &&
(TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgInfoRequest ||
TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgRenew ||
TxCb->TxPacket->Dhcp6.Header.MessageType == Dhcp6MsgConfirm)