From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com [209.85.215.194]) by mx.groups.io with SMTP id smtpd.web11.723.1598638649516202006 for ; Fri, 28 Aug 2020 11:17:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@broadcom.com header.s=google header.b=XCHx080+; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: broadcom.com, ip: 209.85.215.194, mailfrom: vladimir.olovyannikov@broadcom.com) Received: by mail-pg1-f194.google.com with SMTP id m34so804804pgl.11 for ; Fri, 28 Aug 2020 11:17:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=asr46M7UKZMacdy/qVL71JD/APMpJqGLOA7P0yqqd0U=; b=XCHx080+xAGF+OPPwyDwasxANupsLg0mg+6zGcj9qnN6JBy4w1tY6UFqe99BJnJJLJ gwUn73QVLep8ApXIsBUNNceZvrE8OnYU4vAC1A4Whs2kHRMKbS0qrxDkElBVrbZppgSJ hF/HvKwDHM4ohDweLjaiAZsTZ1H9Tw+sYeBkQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=asr46M7UKZMacdy/qVL71JD/APMpJqGLOA7P0yqqd0U=; b=c8wvGt7vA7i4FmOQF+iJvSY3/tMO54amX+xqyGpDNwCHkVw86krcRQhgKXgLksVyD+ +szz1lS9hsFWq3olicCdtkrgpSGHLWGY0H1FlsVb5ho8CYQXPATfBPkcqAUeMoKVgbfi kSKw73uLOPL8+vETh/JMC973h6H/Uty6tSAqt5fwg79rAPRaAEI0zocTU39Iq0aOT5WK i7P42ug4JZGcVdjBKvbMVbcyH3VRT7MUiuwZQZ18wEYQAhPywM1ktyHPE49IIFqYoXNl ze12yUo3kQCywh3FpYtqIPrdj6hcyAloCsHCgyuiNPEMTnD02WKAKrpagHT/PKaam82G bWzw== X-Gm-Message-State: AOAM531MFK4t6J0r+mUJ/SBUWoOrJ4QTKx2h/MB3zPJ1tJ7Did7uZMwq hhv0LhndjmzW0pXxOLvzPFecREDEcCEOyuLs3MlSsB4hV7/EbJeFw9FFUo6Cyw6YFqQCtCPUnqO /PP2/pgO62SkG9Uwtidqfu+XyVdFz9GElb6WAAxK6/yyqTTPpDm06bt0nD/arx4cYvoXXZEuk0v 32F2x0qdOvdFqrwQ== X-Google-Smtp-Source: ABdhPJzQZbUflxNX5EbaBq5RSdz+dgPUF4/geaNxUhZytAJ18FMCxeIfJVe3c3OU6W1FzjFz0Rwmqw== X-Received: by 2002:a63:4557:: with SMTP id u23mr36918pgk.197.1598638648420; Fri, 28 Aug 2020 11:17:28 -0700 (PDT) Return-Path: Received: from LBRMN-LNXUB114.ric.broadcom.net ([192.19.228.250]) by smtp.gmail.com with ESMTPSA id z23sm139530pgv.57.2020.08.28.11.17.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Aug 2020 11:17:27 -0700 (PDT) From: "Vladimir Olovyannikov" To: devel@edk2.groups.io Cc: Vladimir Olovyannikov , Maciej Rabeda , Jiaxin Wu , Siyuan Fu Subject: [PATCH 1/1] NetworkPkg: Fix possible infinite loop in HTTP msg body parser Date: Fri, 28 Aug 2020 11:17:06 -0700 Message-Id: <20200828181706.25296-1-vladimir.olovyannikov@broadcom.com> X-Mailer: git-send-email 2.26.2.266.ge870325ee8 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit When an HTTP server sends a non-chunked body data with no Content-Length header, the HttpParserMessageBody in DxeHttpLib gets confused and never sets the Char pointer beyond the body start. This causes "for" loop to never break because the condition of "Char >= Body + BodyLength" is never satisfied. Use BodyLength as the ContentLength for the parser when ContentLength is absent in HTTP response headers. BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2941 Signed-off-by: Vladimir Olovyannikov Cc: Maciej Rabeda Cc: Jiaxin Wu Cc: Siyuan Fu --- NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c index 180d9321025a..e550c9962dc1 100644 --- a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c +++ b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c @@ -1122,6 +1122,7 @@ HttpParseMessageBody ( CHAR8 *Char; UINTN RemainderLengthInThis; UINTN LengthForCallback; + UINTN PortionLength; EFI_STATUS Status; HTTP_BODY_PARSER *Parser; @@ -1173,19 +1174,31 @@ HttpParseMessageBody ( // // Identity transfer-coding, just notify user to save the body data. // + PortionLength = MIN ( + BodyLength, + Parser->ContentLength - Parser->ParsedBodyLength + ); + if (!PortionLength) { + // + // Got BodyLength, but no ContentLength. Use BodyLength. + // + PortionLength = BodyLength; + Parser->ContentLength = PortionLength; + } + if (Parser->Callback != NULL) { Status = Parser->Callback ( BodyParseEventOnData, Char, - MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength), + PortionLength, Parser->Context ); if (EFI_ERROR (Status)) { return Status; } } - Char += MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength); - Parser->ParsedBodyLength += MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength); + Char += PortionLength; + Parser->ParsedBodyLength += PortionLength; if (Parser->ParsedBodyLength == Parser->ContentLength) { Parser->State = BodyParserComplete; if (Parser->Callback != NULL) { -- 2.26.2.266.ge870325ee8