From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f196.google.com (mail-pl1-f196.google.com [209.85.214.196])
 by mx.groups.io with SMTP id smtpd.web10.23593.1598747351221317042
 for <devel@edk2.groups.io>;
 Sat, 29 Aug 2020 17:29:11 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@broadcom.com header.s=google header.b=NZhm+n1M;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: broadcom.com, ip: 209.85.214.196, mailfrom: vladimir.olovyannikov@broadcom.com)
Received: by mail-pl1-f196.google.com with SMTP id y6so1349722plk.10
        for <devel@edk2.groups.io>; Sat, 29 Aug 2020 17:29:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=broadcom.com; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=asr46M7UKZMacdy/qVL71JD/APMpJqGLOA7P0yqqd0U=;
        b=NZhm+n1MDFBpgiBx37z6uY81abAQyUHFX9vU+swcpR47wrpJbOHOunIecgQqlhweME
         8AzkTjCBaBzIaGaBnxXQH6PEM84AOAlkZDAg7L+5IcB//AAOiBhddbsS38paDYqAvW8d
         EgGza7hYy8USuvvOXB2kXGMv5Q4sevDG+W66w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=asr46M7UKZMacdy/qVL71JD/APMpJqGLOA7P0yqqd0U=;
        b=HDVuyEqnh2qZUtvcaIA6UIPrZcipDkwpYITX16FKWUFy7hmEILr19IVU6nE2DE0yQg
         kfcUNIxjnfYNmkKr8+uZynAw+j/V4khOSTvwdqwSNs9yaaZz0EAwTDh+w2/JEqKpT1aI
         509yCiW+KefW8tSVD/sB/DtEesYbFmZHy14geQDw/IYKqakLtV9EmY6+D37VYTAOHFJR
         2krQUAqVZihlRxa+NGqNrxHABwuP3xqt34ZAWnl72LzgorTL+7LB02n6mLwDtjZDIhQ0
         43gyQnmIuiMg3YM7Vo9FZ+gbO27LoTTUiST8m54cPxgfHI1muES0Js5r0dIiinI4LGpm
         81Vg==
X-Gm-Message-State: AOAM533470FMgmHk4Q27NFZ2BdSjTsc3xHmui5U0mGsnZfSnIOx0oBgX
	vEtzb81PhrFl2CQM2XyqLswZWhZiZTYs8xCy63aldwtB4MCBT0YSzlB4ZkR9JC5KsDWs+w9swng
	ZN0+I39FsCK48ixYDE+YdQfEGr8gAIxvZOQtsGUc24h+kzPMaz/X2F4n10FXHx/OA7cPNt05PFG
	NIc6ErcpyjeCYmYA==
X-Google-Smtp-Source: ABdhPJz7111JVZO5jK41nrKMgDsbr52qIbjjtwopnV/GgZjbBf2vT/HkWd/gbrGL/RMXBsDOpeo+7g==
X-Received: by 2002:a17:90b:60f:: with SMTP id gb15mr4558719pjb.38.1598747350213;
        Sat, 29 Aug 2020 17:29:10 -0700 (PDT)
Return-Path: <vladimir.olovyannikov@broadcom.com>
Received: from LBRMN-LNXUB114.ric.broadcom.net ([192.19.228.250])
        by smtp.gmail.com with ESMTPSA id z15sm3174576pjz.12.2020.08.29.17.29.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 29 Aug 2020 17:29:09 -0700 (PDT)
From: "Vladimir Olovyannikov" <vladimir.olovyannikov@broadcom.com>
To: devel@edk2.groups.io
Cc: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>,
	Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Siyuan Fu <siyuan.fu@intel.com>
Subject: [PATCH 1/1] NetworkPkg: Fix possible infinite loop in HTTP msg body parser
Date: Sat, 29 Aug 2020 17:28:46 -0700
Message-Id: <20200830002847.12726-2-vladimir.olovyannikov@broadcom.com>
X-Mailer: git-send-email 2.26.2.266.ge870325ee8
In-Reply-To: <20200830002847.12726-1-vladimir.olovyannikov@broadcom.com>
References: <20200830002847.12726-1-vladimir.olovyannikov@broadcom.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

When an HTTP server sends a non-chunked body data with no
Content-Length header, the HttpParserMessageBody in DxeHttpLib
gets confused and never sets the Char pointer beyond the body start.
This causes "for" loop to never break because the condition of
"Char >= Body + BodyLength" is never satisfied.
Use BodyLength as the ContentLength for the parser when
ContentLength is absent in HTTP response headers.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2941

Signed-off-by: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
---
 NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
index 180d9321025a..e550c9962dc1 100644
--- a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
+++ b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
@@ -1122,6 +1122,7 @@ HttpParseMessageBody (
   CHAR8                 *Char;
   UINTN                 RemainderLengthInThis;
   UINTN                 LengthForCallback;
+  UINTN                 PortionLength;
   EFI_STATUS            Status;
   HTTP_BODY_PARSER      *Parser;
 
@@ -1173,19 +1174,31 @@ HttpParseMessageBody (
       //
       // Identity transfer-coding, just notify user to save the body data.
       //
+      PortionLength = MIN (
+                        BodyLength,
+                        Parser->ContentLength - Parser->ParsedBodyLength
+                        );
+      if (!PortionLength) {
+        //
+        // Got BodyLength, but no ContentLength. Use BodyLength.
+        //
+        PortionLength = BodyLength;
+        Parser->ContentLength = PortionLength;
+      }
+
       if (Parser->Callback != NULL) {
         Status = Parser->Callback (
                            BodyParseEventOnData,
                            Char,
-                           MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength),
+                           PortionLength,
                            Parser->Context
                            );
         if (EFI_ERROR (Status)) {
           return Status;
         }
       }
-      Char += MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength);
-      Parser->ParsedBodyLength += MIN (BodyLength, Parser->ContentLength - Parser->ParsedBodyLength);
+      Char += PortionLength;
+      Parser->ParsedBodyLength += PortionLength;
       if (Parser->ParsedBodyLength == Parser->ContentLength) {
         Parser->State = BodyParserComplete;
         if (Parser->Callback != NULL) {
-- 
2.26.2.266.ge870325ee8