HttpUtilitiesDxe: fix read memory access overflow.

Fu, Siyuan Thu, 27 Sep 2018 19:39:31 -0700

Reviewed-by: Fu Siyuan <[email protected]>



> -----Original Message-----
> From: edk2-devel [mailto:[email protected]] On Behalf Of
> Songpeng Li
> Sent: Friday, September 28, 2018 9:57 AM
> To: [email protected]
> Cc: Fu, Siyuan <[email protected]>; Wu, Jiaxin <[email protected]>
> Subject: [edk2] [PATCH 2/2] NetworkPkg/HttpUtilitiesDxe: fix read memory
> access overflow.
> 
> The input param String of AsciiStrStr() requires a pointer to
>  Null-terminated string, however in HttpUtilitiesParse(),
>  the Buffersize before AllocateZeroPool() is equal to the size
>  of TCP header, after the CopyMem(), it might not end with
>  Null-terminator. It might cause memory access overflow.
> 
> Cc: Fu Siyuan <[email protected]>
> Cc: Wu Jiaxin <[email protected]>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Songpeng Li <[email protected]>
> ---
>  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> index a9a1c7c586..b0e3e7f081 100644
> --- a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> +++ b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> @@ -298,6 +298,7 @@ HttpUtilitiesParse (
>    CHAR8                     *FieldName;
>    CHAR8                     *FieldValue;
>    UINTN                     Index;
> +  UINTN                     HttpBufferSize;
> 
>    Status          = EFI_SUCCESS;
>    TempHttpMessage = NULL;
> @@ -311,12 +312,17 @@ HttpUtilitiesParse (
>      return EFI_INVALID_PARAMETER;
>    }
> 
> -  TempHttpMessage = AllocateZeroPool (HttpMessageSize);
> +  //
> +  // Append the http response string along with a Null-terminator.
> +  //
> +  HttpBufferSize = HttpMessageSize + 1;
> +  TempHttpMessage = AllocatePool (HttpBufferSize);
>    if (TempHttpMessage == NULL) {
>      return EFI_OUT_OF_RESOURCES;
>    }
> 
>    CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize);
> +  *(TempHttpMessage + HttpMessageSize) = '\0';
> 
>    //
>    // Get header number
> --
> 2.18.0.windows.1
> 
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 2/2] NetworkPkg/HttpUtilitiesDxe: fix read memory access overflow.

Reply via email to