From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com [209.85.215.194])
 by mx.groups.io with SMTP id smtpd.web11.723.1598638649516202006
 for <devel@edk2.groups.io>;
 Fri, 28 Aug 2020 11:17:29 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@broadcom.com header.s=google header.b=XCHx080+;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: broadcom.com, ip: 209.85.215.194, mailfrom: vladimir.olovyannikov@broadcom.com)
Received: by mail-pg1-f194.google.com with SMTP id m34so804804pgl.11
        for <devel@edk2.groups.io>; Fri, 28 Aug 2020 11:17:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=broadcom.com; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=asr46M7UKZMacdy/qVL71JD/APMpJqGLOA7P0yqqd0U=;
        b=XCHx080+xAGF+OPPwyDwasxANupsLg0mg+6zGcj9qnN6JBy4w1tY6UFqe99BJnJJLJ
         gwUn73QVLep8ApXIsBUNNceZvrE8OnYU4vAC1A4Whs2kHRMKbS0qrxDkElBVrbZppgSJ
         hF/HvKwDHM4ohDweLjaiAZsTZ1H9Tw+sYeBkQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=asr46M7UKZMacdy/qVL71JD/APMpJqGLOA7P0yqqd0U=;
        b=c8wvGt7vA7i4FmOQF+iJvSY3/tMO54amX+xqyGpDNwCHkVw86krcRQhgKXgLksVyD+
         +szz1lS9hsFWq3olicCdtkrgpSGHLWGY0H1FlsVb5ho8CYQXPATfBPkcqAUeMoKVgbfi
         kSKw73uLOPL8+vETh/JMC973h6H/Uty6tSAqt5fwg79rAPRaAEI0zocTU39Iq0aOT5WK
         i7P42ug4JZGcVdjBKvbMVbcyH3VRT7MUiuwZQZ18wEYQAhPywM1ktyHPE49IIFqYoXNl
         ze12yUo3kQCywh3FpYtqIPrdj6hcyAloCsHCgyuiNPEMTnD02WKAKrpagHT/PKaam82G
         bWzw==
X-Gm-Message-State: AOAM531MFK4t6J0r+mUJ/SBUWoOrJ4QTKx2h/MB3zPJ1tJ7Did7uZMwq
	hhv0LhndjmzW0pXxOLvzPFecREDEcCEOyuLs3MlSsB4hV7/EbJeFw9FFUo6Cyw6YFqQCtCPUnqO
	/PP2/pgO62SkG9Uwtidqfu+XyVdFz9GElb6WAAxK6/yyqTTPpDm06bt0nD/arx4cYvoXXZEuk0v
	32F2x0qdOvdFqrwQ==
X-Google-Smtp-Source: ABdhPJzQZbUflxNX5EbaBq5RSdz+dgPUF4/geaNxUhZytAJ18FMCxeIfJVe3c3OU6W1FzjFz0Rwmqw==
X-Received: by 2002:a63:4557:: with SMTP id u23mr36918pgk.197.1598638648420;
        Fri, 28 Aug 2020 11:17:28 -0700 (PDT)
Return-Path: <vladimir.olovyannikov@broadcom.com>
Received: from LBRMN-LNXUB114.ric.broadcom.net ([192.19.228.250])
        by smtp.gmail.com with ESMTPSA id z23sm139530pgv.57.2020.08.28.11.17.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Aug 2020 11:17:27 -0700 (PDT)
From: "Vladimir Olovyannikov" <vladimir.olovyannikov@broadcom.com>
To: devel@edk2.groups.io
Cc: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>,
	Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Siyuan Fu <siyuan.fu@intel.com>
Subject: [PATCH 1/1] NetworkPkg: Fix possible infinite loop in HTTP msg body parser
Date: Fri, 28 Aug 2020 11:17:06 -0700
Message-Id: <20200828181706.25296-1-vladimir.olovyannikov@broadcom.com>
X-Mailer: git-send-email 2.26.2.266.ge870325ee8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

When an HTTP server sends a non-chunked body data with no
Content-Length header, the HttpParserMessageBody in DxeHttpLib
gets confused and never sets the Char pointer beyond the body start.
This causes "for" loop to never break because the condition of
"Char >= Body + BodyLength" is never satisfied.
Use BodyLength as the ContentLength for the parser when
ContentLength is absent in HTTP response headers.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2941

Signed-off-by: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
---
 NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
index 180d9321025a..e550c9962dc1 100644
--- a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
+++ b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
@@ -1122,6 +1122,7 @@ HttpParseMessageBody (
   CHAR8                 *Char;
   UINTN                 RemainderLengthInThis;
   UINTN                 LengthForCallback;
+  UINTN                 PortionLength;
   EFI_STATUS            Status;
   HTTP_BODY_PARSER      *Parser;
 
@@ -1173,19 +1174,31 @@ HttpParseMessageBody (
       //
       // Identity transfer-coding, just notify user to save the body data.
       //
+      PortionLength = MIN (
+                        BodyLength,
+                        Parser->ContentLength - Parser->ParsedBodyLength
+                        );
+      if (!PortionLength) {
+        //
+        // Got BodyLength, but no ContentLength. Use BodyLength.
+        //
+        PortionLength = BodyLength;
+        Parser->ContentLength = PortionLength;
+      }
+
       if (Parser->Callback != NULL) {
         Status = Parser->Callback (
                            BodyParseEventOnData,
                            Char,
-                           MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength),
+                           PortionLength,
                            Parser->Context
                            );
         if (EFI_ERROR (Status)) {
           return Status;
         }
       }
-      Char += MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength);
-      Parser->ParsedBodyLength += MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength);
+      Char += PortionLength;
+      Parser->ParsedBodyLength += PortionLength;
       if (Parser->ParsedBodyLength == Parser->ContentLength) {
         Parser->State = BodyParserComplete;
         if (Parser->Callback != NULL) {
-- 
2.26.2.266.ge870325ee8