[PATCH v3 2/2] efi_loader: fix use after free in receive path
Heinrich Schuchardt
xypron.glpk at gmx.de
Wed Oct 7 15:26:38 CEST 2020
On 07.10.20 11:04, Patrick Wildt wrote:
> With DM enabled the ethernet code will receive a packet, call
> the push method that's set by the EFI network implementation
> and then free the packet. Unfortunately the push methods only
> sets a flag that the packet needs to be handled, but the code
> that provides the packet to an EFI application runs after the
> packet has already been freed.
>
> To rectify this issue, adjust the push method to accept the packet
> and store it in a temporary buffer. The EFI application then gets
> the data copied from that buffer. This way the packet is cached
> until is is needed.
>
> The DM Ethernet stack tries to receive 32 packets at once, thus
> we better allocate as many buffers as the stack.
>
> Signed-off-by: Patrick Wildt <patrick at blueri.se>
Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
More information about the U-Boot
mailing list