From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.88; helo=mga01.intel.com; envelope-from=songpeng.li@intel.com; receiver=edk2-devel@lists.01.org Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C1B2E21A00AE6 for ; Mon, 24 Sep 2018 20:29:45 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Sep 2018 20:29:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,300,1534834800"; d="scan'208";a="266393770" Received: from songpeng.ccr.corp.intel.com ([10.239.158.28]) by fmsmga006.fm.intel.com with ESMTP; 24 Sep 2018 20:29:44 -0700 From: Songpeng Li To: edk2-devel@lists.01.org Cc: Fu Siyuan , Wu Jiaxin Date: Tue, 25 Sep 2018 11:28:45 +0800 Message-Id: <20180925032845.18836-1-songpeng.li@intel.com> X-Mailer: git-send-email 2.18.0.windows.1 Subject: [PATCH] NetworkPkg: fix read memory access overflow in HTTPBoot. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2018 03:29:46 -0000 The input param String of AsciiStrStr() requires a pointer to Null-terminated string, however in HttpTcpReceiveHeader() and HttpUtilitiesParse(), the Buffersize before AllocateZeroPool() is equal to the size of TCP header, after the CopyMem(), it might not end with Null-terminator. It might cause memory access overflow. Cc: Fu Siyuan Cc: Wu Jiaxin Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Songpeng Li --- NetworkPkg/HttpDxe/HttpProto.c | 4 ++-- NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.c index 94f89f5665..c729f76eff 100644 --- a/NetworkPkg/HttpDxe/HttpProto.c +++ b/NetworkPkg/HttpDxe/HttpProto.c @@ -1917,7 +1917,7 @@ HttpTcpReceiveHeader ( // Append the response string. // *BufferSize = *SizeofHeaders + Fragment.Len; - Buffer = AllocateZeroPool (*BufferSize); + Buffer = AllocateZeroPool (*BufferSize + 1); if (Buffer == NULL) { Status = EFI_OUT_OF_RESOURCES; return Status; @@ -2016,7 +2016,7 @@ HttpTcpReceiveHeader ( // Append the response string. // *BufferSize = *SizeofHeaders + Fragment.Len; - Buffer = AllocateZeroPool (*BufferSize); + Buffer = AllocateZeroPool (*BufferSize + 1); if (Buffer == NULL) { Status = EFI_OUT_OF_RESOURCES; return Status; diff --git a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c index a9a1c7c586..2292b52537 100644 --- a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c +++ b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c @@ -298,6 +298,7 @@ HttpUtilitiesParse ( CHAR8 *FieldName; CHAR8 *FieldValue; UINTN Index; + UINTN HttpBufferSize; Status = EFI_SUCCESS; TempHttpMessage = NULL; @@ -311,7 +312,8 @@ HttpUtilitiesParse ( return EFI_INVALID_PARAMETER; } - TempHttpMessage = AllocateZeroPool (HttpMessageSize); + HttpBufferSize = HttpMessageSize + 1; + TempHttpMessage = AllocateZeroPool (HttpBufferSize); if (TempHttpMessage == NULL) { return EFI_OUT_OF_RESOURCES; } -- 2.18.0.windows.1