HttpDxe: fix read memory access overflow in HTTPBoot.

Fu, Siyuan Thu, 27 Sep 2018 19:33:02 -0700

Reviewed-by: Fu Siyuan <[email protected]>


> -----Original Message-----
> From: edk2-devel [mailto:[email protected]] On Behalf Of
> Songpeng Li
> Sent: Friday, September 28, 2018 9:57 AM
> To: [email protected]
> Cc: Fu, Siyuan <[email protected]>; Wu, Jiaxin <[email protected]>
> Subject: [edk2] [PATCH 1/2] NetworkPkg/HttpDxe: fix read memory access
> overflow in HTTPBoot.
> 
> The input param String of AsciiStrStr() requires a pointer to
>  Null-terminated string, however in HttpTcpReceiveHeader(),
>  the Buffersize before AllocateZeroPool() is equal to the size
>  of TCP header, after the CopyMem(), it might not end with
>  Null-terminator. It might cause memory access overflow.
> 
> Cc: Fu Siyuan <[email protected]>
> Cc: Wu Jiaxin <[email protected]>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Songpeng Li <[email protected]>
> ---
>  NetworkPkg/HttpDxe/HttpProto.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpProto.c
> b/NetworkPkg/HttpDxe/HttpProto.c
> index 94f89f5665..7d69429be7 100644
> --- a/NetworkPkg/HttpDxe/HttpProto.c
> +++ b/NetworkPkg/HttpDxe/HttpProto.c
> @@ -1914,10 +1914,10 @@ HttpTcpReceiveHeader (
>        }
> 
>        //
> -      // Append the response string.
> +      // Append the response string along with a Null-terminator.
>        //
>        *BufferSize = *SizeofHeaders + Fragment.Len;
> -      Buffer      = AllocateZeroPool (*BufferSize);
> +      Buffer      = AllocatePool (*BufferSize + 1);
>        if (Buffer == NULL) {
>          Status = EFI_OUT_OF_RESOURCES;
>          return Status;
> @@ -1933,6 +1933,7 @@ HttpTcpReceiveHeader (
>          Fragment.Bulk,
>          Fragment.Len
>          );
> +      *(Buffer + *BufferSize) = '\0';
>        *HttpHeaders   = Buffer;
>        *SizeofHeaders = *BufferSize;
> 
> @@ -2013,10 +2014,10 @@ HttpTcpReceiveHeader (
>        }
> 
>        //
> -      // Append the response string.
> +      // Append the response string along with a Null-terminator.
>        //
>        *BufferSize = *SizeofHeaders + Fragment.Len;
> -      Buffer      = AllocateZeroPool (*BufferSize);
> +      Buffer      = AllocatePool (*BufferSize + 1);
>        if (Buffer == NULL) {
>          Status = EFI_OUT_OF_RESOURCES;
>          return Status;
> @@ -2032,6 +2033,7 @@ HttpTcpReceiveHeader (
>          Fragment.Bulk,
>          Fragment.Len
>          );
> +      *(Buffer + *BufferSize) = '\0';
>        *HttpHeaders   = Buffer;
>        *SizeofHeaders = *BufferSize;
> 
> --
> 2.18.0.windows.1
> 
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 1/2] NetworkPkg/HttpDxe: fix read memory access overflow in HTTPBoot.

Reply via email to