The input param String of AsciiStrStr() requires a pointer to Null-terminated string, however in HttpUtilitiesParse(), the Buffersize before AllocateZeroPool() is equal to the size of TCP header, after the CopyMem(), it might not end with Null-terminator. It might cause memory access overflow.
Cc: Fu Siyuan <[email protected]> Cc: Wu Jiaxin <[email protected]> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Songpeng Li <[email protected]> --- NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c index a9a1c7c586..b0e3e7f081 100644 --- a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c +++ b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c @@ -298,6 +298,7 @@ HttpUtilitiesParse ( CHAR8 *FieldName; CHAR8 *FieldValue; UINTN Index; + UINTN HttpBufferSize; Status = EFI_SUCCESS; TempHttpMessage = NULL; @@ -311,12 +312,17 @@ HttpUtilitiesParse ( return EFI_INVALID_PARAMETER; } - TempHttpMessage = AllocateZeroPool (HttpMessageSize); + // + // Append the http response string along with a Null-terminator. + // + HttpBufferSize = HttpMessageSize + 1; + TempHttpMessage = AllocatePool (HttpBufferSize); if (TempHttpMessage == NULL) { return EFI_OUT_OF_RESOURCES; } CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize); + *(TempHttpMessage + HttpMessageSize) = '\0'; // // Get header number -- 2.18.0.windows.1 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
