1. Messages
  2. [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive flow.

Re: [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive flow.

Gao, Zhichao
 

Acked-by: Zhichao Gao <zhichao.gao@...>

-----Original Message-----
From: Fu, Siyuan <siyuan.fu@...>
Sent: Tuesday, March 31, 2020 7:54 PM
To: devel@edk2.groups.io; lersek@...; Ni, Ray <ray.ni@...>;
Gao, Zhichao <zhichao.gao@...>
Cc: maciej.rabeda@...
Subject: RE: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4 receive
flow.

Reviewed-by: Siyuan Fu <siyuan.fu@...>

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo
Ersek
Sent: 2020年3月25日 19:34
To: Ni, Ray <ray.ni@...>; Gao, Zhichao <zhichao.gao@...>
Cc: devel@edk2.groups.io; maciej.rabeda@...
Subject: Re: [edk2-devel] [PATCH v1] ShellPkg: Fix 'ping' command Ip4
receive flow.

Ray, Zhichao,

On 02/27/20 12:02, Maciej Rabeda wrote:
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2032

'ping' command's receive flow utilizes a single Rx token which it
attempts to reuse before recycling the previously received packet.
This causes a situation where under ICMP traffic,
Ping6OnEchoReplyReceived() function will receive an already recycled
packet with EFI_SUCCESS token status and finally dereference invalid
pointers from RxData structure.

Cc: Ray Ni <ray.ni@...>
Cc: Zhichao Gao <zhichao.gao@...>
Signed-off-by: Maciej Rabeda <maciej.rabeda@...>
---
ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
can you please review this ShellPkg patch? It's been on the list for
almost a month now.

Thanks
Laszlo

diff --git a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
index 23567fa2c1bb..a3fa32515192 100644
--- a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
+++ b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c
@@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived (

ON_EXIT:

+ //
+ // Recycle the packet before reusing RxToken //
+ gBS->SignalEvent (Private->IpChoice ==
PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private-
RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private
- RxToken.Packet.RxData)->RecycleSignal);
+
if (Private->RxCount < Private->SendNum) {
//
// Continue to receive icmp echo reply packets.
@@ -632,10 +637,6 @@ ON_EXIT:
//
Private->Status = EFI_SUCCESS;
}
- //
- // Singal to recycle the each rxdata here, not at the end of process.
- //
- gBS->SignalEvent (Private->IpChoice ==
PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private-
RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private
- RxToken.Packet.RxData)->RecycleSignal);
}

/**
Join devel@edk2.groups.io to automatically receive all group messages.