From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 711D6210D8537 for ; Tue, 3 Jul 2018 19:21:42 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Jul 2018 19:21:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,306,1526367600"; d="scan'208";a="63960747" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga002.fm.intel.com with ESMTP; 03 Jul 2018 19:21:19 -0700 Received: from fmsmsx113.amr.corp.intel.com (10.18.116.7) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 3 Jul 2018 19:21:19 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX113.amr.corp.intel.com (10.18.116.7) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 3 Jul 2018 19:21:19 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.81]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.17]) with mapi id 14.03.0319.002; Wed, 4 Jul 2018 10:21:15 +0800 From: "Wu, Jiaxin" To: Gary Lin CC: "edk2-devel@lists.01.org" , "Ye, Ting" , "Fu, Siyuan" , "Hsiung, Harry L" Thread-Topic: [edk2] [Patch v3] NetworkPkg/HttpDxe: Fix the bug when parsing HTTP(S) message body. Thread-Index: AQHUEy+vnmp54iObBkOwpj9dzzlwRqR9zNsAgACH7FA= Date: Wed, 4 Jul 2018 02:21:14 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B7274164656BE@SHSMSX104.ccr.corp.intel.com> References: <20180704004052.4560-1-Jiaxin.wu@intel.com> <20180704021400.rbmil3o6dm3m5rxb@GaryWorkstation> In-Reply-To: <20180704021400.rbmil3o6dm3m5rxb@GaryWorkstation> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZTE2ZTQyMTUtZDA5OC00YzY2LTg0ZTQtMTI3YzlmNTlmODRlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiS2dib1RZeEpPU2czYnpTcStlaStpM3p1WHFsYlc0WUxsT1JwZjk5VklzR0RWZndqTDhqb3dhcVFZZ0orR01KcSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.200.100 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch v3] NetworkPkg/HttpDxe: Fix the bug when parsing HTTP(S) message body. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2018 02:21:43 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Great, thanks the verification. /Jiaxin > -----Original Message----- > From: Gary Lin [mailto:glin@suse.com] > Sent: Wednesday, July 4, 2018 10:14 AM > To: Wu, Jiaxin > Cc: edk2-devel@lists.01.org; Ye, Ting ; Fu, Siyuan > > Subject: Re: [edk2] [Patch v3] NetworkPkg/HttpDxe: Fix the bug when > parsing HTTP(S) message body. >=20 > On Wed, Jul 04, 2018 at 08:40:52AM +0800, Jiaxin Wu wrote: > > *v2: Resolve the conflict commit. > > > > *v3: Fixed the failure if BodyLength in HTTP token is less than the rec= eived > > size of HTTPS message. > > > > HttpBodyParserCallback function is to parse the HTTP(S) message body so > as to > > confirm whether there is the next message header. But it doesn't record > the > > parsing message data/length correctly. > > > > This patch is refine the parsing logic so as to fix the potential failu= re. > > > > Cc: Ye Ting > > Cc: Fu Siyuan > > Cc: Gary Lin > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Wu Jiaxin >=20 > > Tested-by: Gary Lin > Thanks for the patch. I've tested this patch with shim and grub2 from > SLE15 GM, and they worked as expected. A crash in grub2 https connection = is > also gone after applying this patch. >=20 > Thanks, >=20 > Gary Lin >=20 > > --- > > NetworkPkg/HttpDxe/HttpImpl.c | 112 +++++++++++++++++--------------- > - > > NetworkPkg/HttpDxe/HttpProto.c | 10 +++ > > NetworkPkg/HttpDxe/HttpProto.h | 10 +++ > > 3 files changed, 78 insertions(+), 54 deletions(-) > > > > diff --git a/NetworkPkg/HttpDxe/HttpImpl.c > b/NetworkPkg/HttpDxe/HttpImpl.c > > index f70e116f38..17deceb395 100644 > > --- a/NetworkPkg/HttpDxe/HttpImpl.c > > +++ b/NetworkPkg/HttpDxe/HttpImpl.c > > @@ -914,10 +914,11 @@ HttpBodyParserCallback ( > > IN CHAR8 *Data, > > IN UINTN Length, > > IN VOID *Context > > ) > > { > > + HTTP_CALLBACK_DATA *CallbackData; > > HTTP_TOKEN_WRAP *Wrap; > > UINTN BodyLength; > > CHAR8 *Body; > > > > if (EventType !=3D BodyParseEventOnComplete) { > > @@ -926,25 +927,22 @@ HttpBodyParserCallback ( > > > > if (Data =3D=3D NULL || Length !=3D 0 || Context =3D=3D NULL) { > > return EFI_SUCCESS; > > } > > > > - Wrap =3D (HTTP_TOKEN_WRAP *) Context; > > - Body =3D Wrap->HttpToken->Message->Body; > > - BodyLength =3D Wrap->HttpToken->Message->BodyLength; > > + CallbackData =3D (HTTP_CALLBACK_DATA *) Context; > > + > > + Wrap =3D (HTTP_TOKEN_WRAP *) (CallbackData->Wrap); > > + Body =3D CallbackData->ParseData; > > + BodyLength =3D CallbackData->ParseDataLength; > > + > > if (Data < Body + BodyLength) { > > Wrap->HttpInstance->NextMsg =3D Data; > > } else { > > Wrap->HttpInstance->NextMsg =3D NULL; > > } > > > > - > > - // > > - // Free Tx4Token or Tx6Token since already received corrsponding HTT= P > response. > > - // > > - FreePool (Wrap); > > - > > return EFI_SUCCESS; > > } > > > > /** > > The work function of EfiHttpResponse(). > > @@ -1189,33 +1187,43 @@ HttpResponseWorker ( > > HttpInstance->Method, > > HttpMsg->Data.Response->StatusCode, > > HttpMsg->HeaderCount, > > HttpMsg->Headers, > > HttpBodyParserCallback, > > - (VOID *) ValueInItem, > > + (VOID *) (&HttpInstance->CallbackData), > > &HttpInstance->MsgParser > > ); > > if (EFI_ERROR (Status)) { > > goto Error2; > > } > > > > // > > // Check whether we received a complete HTTP message. > > // > > if (HttpInstance->CacheBody !=3D NULL) { > > + // > > + // Record the CallbackData data. > > + // > > + HttpInstance->CallbackData.Wrap =3D (VOID *) Wrap; > > + HttpInstance->CallbackData.ParseData =3D (VOID *) HttpInstance= - > >CacheBody; > > + HttpInstance->CallbackData.ParseDataLength =3D HttpInstance- > >CacheLen; > > + > > + // > > + // Parse message with CallbackData data. > > + // > > Status =3D HttpParseMessageBody (HttpInstance->MsgParser, > HttpInstance->CacheLen, HttpInstance->CacheBody); > > if (EFI_ERROR (Status)) { > > goto Error2; > > } > > + } > > > > - if (HttpIsMessageComplete (HttpInstance->MsgParser)) { > > - // > > - // Free the MsgParse since we already have a full HTTP messa= ge. > > - // > > - HttpFreeMsgParser (HttpInstance->MsgParser); > > - HttpInstance->MsgParser =3D NULL; > > - } > > + if (HttpIsMessageComplete (HttpInstance->MsgParser)) { > > + // > > + // Free the MsgParse since we already have a full HTTP message= . > > + // > > + HttpFreeMsgParser (HttpInstance->MsgParser); > > + HttpInstance->MsgParser =3D NULL; > > } > > } > > > > if ((HttpMsg->Body =3D=3D NULL) || (HttpMsg->BodyLength =3D=3D 0))= { > > Status =3D EFI_SUCCESS; > > @@ -1330,16 +1338,30 @@ HttpResponseWorker ( > > if (EFI_ERROR (Status)) { > > goto Error2; > > } > > > > // > > - // Check whether we receive a complete HTTP message. > > + // Process the received the body packet. > > + // > > + HttpMsg->BodyLength =3D MIN (Fragment.Len, (UINT32) HttpMsg- > >BodyLength); > > + > > + CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength); > > + > > + // > > + // Record the CallbackData data. > > + // > > + HttpInstance->CallbackData.Wrap =3D (VOID *) Wrap; > > + HttpInstance->CallbackData.ParseData =3D HttpMsg->Body; > > + HttpInstance->CallbackData.ParseDataLength =3D HttpMsg->BodyLength= ; > > + > > + // > > + // Parse Body with CallbackData data. > > // > > Status =3D HttpParseMessageBody ( > > HttpInstance->MsgParser, > > - (UINTN) Fragment.Len, > > - (CHAR8 *) Fragment.Bulk > > + HttpMsg->BodyLength, > > + HttpMsg->Body > > ); > > if (EFI_ERROR (Status)) { > > goto Error2; > > } > > > > @@ -1350,50 +1372,32 @@ HttpResponseWorker ( > > HttpFreeMsgParser (HttpInstance->MsgParser); > > HttpInstance->MsgParser =3D NULL; > > } > > > > // > > - // We receive part of header of next HTTP msg. > > + // Check whether there is the next message header in the HttpMsg- > >Body. > > // > > if (HttpInstance->NextMsg !=3D NULL) { > > - HttpMsg->BodyLength =3D MIN ((UINTN) HttpInstance->NextMsg - > (UINTN) Fragment.Bulk, HttpMsg->BodyLength); > > - CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength); > > - > > - HttpInstance->CacheLen =3D Fragment.Len - HttpMsg->BodyLength; > > - if (HttpInstance->CacheLen !=3D 0) { > > - if (HttpInstance->CacheBody !=3D NULL) { > > - FreePool (HttpInstance->CacheBody); > > - } > > - > > - HttpInstance->CacheBody =3D AllocateZeroPool (HttpInstance- > >CacheLen); > > - if (HttpInstance->CacheBody =3D=3D NULL) { > > - Status =3D EFI_OUT_OF_RESOURCES; > > - goto Error2; > > - } > > - > > - CopyMem (HttpInstance->CacheBody, Fragment.Bulk + HttpMsg- > >BodyLength, HttpInstance->CacheLen); > > - HttpInstance->CacheOffset =3D 0; > > + HttpMsg->BodyLength =3D HttpInstance->NextMsg - (CHAR8 *) > HttpMsg->Body; > > + } > > > > - HttpInstance->NextMsg =3D HttpInstance->CacheBody + ((UINTN) > HttpInstance->NextMsg - (UINTN) (Fragment.Bulk + HttpMsg->BodyLength)); > > + HttpInstance->CacheLen =3D Fragment.Len - HttpMsg->BodyLength; > > + if (HttpInstance->CacheLen !=3D 0) { > > + if (HttpInstance->CacheBody !=3D NULL) { > > + FreePool (HttpInstance->CacheBody); > > } > > - } else { > > - HttpMsg->BodyLength =3D MIN (Fragment.Len, (UINT32) HttpMsg- > >BodyLength); > > - CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength); > > - HttpInstance->CacheLen =3D Fragment.Len - HttpMsg->BodyLength; > > - if (HttpInstance->CacheLen !=3D 0) { > > - if (HttpInstance->CacheBody !=3D NULL) { > > - FreePool (HttpInstance->CacheBody); > > - } > > > > - HttpInstance->CacheBody =3D AllocateZeroPool (HttpInstance- > >CacheLen); > > - if (HttpInstance->CacheBody =3D=3D NULL) { > > - Status =3D EFI_OUT_OF_RESOURCES; > > - goto Error2; > > - } > > + HttpInstance->CacheBody =3D AllocateZeroPool (HttpInstance- > >CacheLen); > > + if (HttpInstance->CacheBody =3D=3D NULL) { > > + Status =3D EFI_OUT_OF_RESOURCES; > > + goto Error2; > > + } > > > > - CopyMem (HttpInstance->CacheBody, Fragment.Bulk + HttpMsg- > >BodyLength, HttpInstance->CacheLen); > > - HttpInstance->CacheOffset =3D 0; > > + CopyMem (HttpInstance->CacheBody, Fragment.Bulk + HttpMsg- > >BodyLength, HttpInstance->CacheLen); > > + HttpInstance->CacheOffset =3D 0; > > + if (HttpInstance->NextMsg !=3D NULL) { > > + HttpInstance->NextMsg =3D HttpInstance->CacheBody; > > } > > } > > > > if (Fragment.Bulk !=3D NULL) { > > FreePool (Fragment.Bulk); > > diff --git a/NetworkPkg/HttpDxe/HttpProto.c > b/NetworkPkg/HttpDxe/HttpProto.c > > index 5356cd35c0..94f89f5665 100644 > > --- a/NetworkPkg/HttpDxe/HttpProto.c > > +++ b/NetworkPkg/HttpDxe/HttpProto.c > > @@ -195,10 +195,20 @@ HttpTcpReceiveNotifyDpc ( > > Length =3D (UINTN) Wrap- > >TcpWrap.Rx6Data.FragmentTable[0].FragmentLength; > > } else { > > Length =3D (UINTN) Wrap- > >TcpWrap.Rx4Data.FragmentTable[0].FragmentLength; > > } > > > > + // > > + // Record the CallbackData data. > > + // > > + HttpInstance->CallbackData.Wrap =3D (VOID *) Wrap; > > + HttpInstance->CallbackData.ParseData =3D Wrap->HttpToken->Message- > >Body; > > + HttpInstance->CallbackData.ParseDataLength =3D Length; > > + > > + // > > + // Parse Body with CallbackData data. > > + // > > Status =3D HttpParseMessageBody ( > > HttpInstance->MsgParser, > > Length, > > Wrap->HttpToken->Message->Body > > ); > > diff --git a/NetworkPkg/HttpDxe/HttpProto.h > b/NetworkPkg/HttpDxe/HttpProto.h > > index cc6c1eb566..fa57dbfd39 100644 > > --- a/NetworkPkg/HttpDxe/HttpProto.h > > +++ b/NetworkPkg/HttpDxe/HttpProto.h > > @@ -89,10 +89,19 @@ typedef struct { > > EFI_TLS_CONNECTION_END ConnectionEnd; > > EFI_TLS_VERIFY VerifyMethod; > > EFI_TLS_SESSION_STATE SessionState; > > } TLS_CONFIG_DATA; > > > > +// > > +// Callback data for HTTP_PARSER_CALLBACK() > > +// > > +typedef struct { > > + UINTN ParseDataLength; > > + VOID *ParseData; > > + VOID *Wrap; > > +} HTTP_CALLBACK_DATA; > > + > > typedef struct _HTTP_PROTOCOL { > > UINT32 Signature; > > EFI_HTTP_PROTOCOL Http; > > EFI_HANDLE Handle; > > HTTP_SERVICE *Service; > > @@ -147,10 +156,11 @@ typedef struct _HTTP_PROTOCOL { > > > > // > > // HTTP message-body parser. > > // > > VOID *MsgParser; > > + HTTP_CALLBACK_DATA CallbackData; > > > > EFI_HTTP_VERSION HttpVersion; > > UINT32 TimeOutMillisec; > > BOOLEAN LocalAddressIsIPv6; > > > > -- > > 2.17.1.windows.2 > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel > >