From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jiaxin.wu@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.65; helo=mga03.intel.com;
 envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id BBD7E21154888
 for <edk2-devel@lists.01.org>; Mon, 24 Sep 2018 20:48:16 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
 by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 24 Sep 2018 20:48:16 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,300,1534834800"; d="scan'208";a="259971493"
Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204])
 by orsmga005.jf.intel.com with ESMTP; 24 Sep 2018 20:48:16 -0700
Received: from fmsmsx114.amr.corp.intel.com (10.18.116.8) by
 FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 24 Sep 2018 20:48:15 -0700
Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by
 FMSMSX114.amr.corp.intel.com (10.18.116.8) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 24 Sep 2018 20:48:15 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.245]) by
 SHSMSX104.ccr.corp.intel.com ([169.254.5.183]) with mapi id 14.03.0319.002;
 Tue, 25 Sep 2018 11:48:13 +0800
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "Fu, Siyuan" <siyuan.fu@intel.com>, "Li, Songpeng"
 <songpeng.li@intel.com>, "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Thread-Topic: [PATCH] NetworkPkg: fix read memory access overflow in HTTPBoot.
Thread-Index: AQHUVIAGSupgypTiwkyB6YMzI/4l1aT/1LCAgACHKiA=
Date: Tue, 25 Sep 2018 03:48:13 +0000
Message-ID: <895558F6EA4E3B41AC93A00D163B7274164B0C28@SHSMSX103.ccr.corp.intel.com>
References: <20180925032845.18836-1-songpeng.li@intel.com>
 <B1FF2E9001CE9041BD10B825821D5BC58B60D92D@SHSMSX103.ccr.corp.intel.com>
In-Reply-To: <B1FF2E9001CE9041BD10B825821D5BC58B60D92D@SHSMSX103.ccr.corp.intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTI5Y2EyMjUtZmFhNy00MzQ5LTk5OTEtOTBhYmVjMzQxMDBiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiQzJlZ0I0UUEyaG1renlBVDlsUlwvQWxHTHJsRmlGN0VGamg0S3BDMklRY0xoWFhrSktFS0xIRGNzVHBJUWw4Rm0ifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.400.15
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH] NetworkPkg: fix read memory access overflow in HTTPBoot.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2018 03:48:16 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Besides, I recommend to separate the patch for HttpDxe and HttpUtilitiesDxe=
.

Thanks,
Jiaxin

> -----Original Message-----
> From: Fu, Siyuan
> Sent: Tuesday, September 25, 2018 11:43 AM
> To: Li, Songpeng <songpeng.li@intel.com>; edk2-devel@lists.01.org
> Cc: Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: RE: [PATCH] NetworkPkg: fix read memory access overflow in
> HTTPBoot.
>=20
> Hi, Songpeng
>=20
> The change is ok with me while I have one comment for the original
> AllocateZeroPool() in these places. Since there will be always a CopyMem(=
)
> to fill up data content to the new allocated buffer, there is no need to =
use
> AllocateZeroPool(), just AllocatePool() and adding null terminator should=
 be
> enough. This will save the unnecessary ZeroMem() time cost for better
> performance. Thanks.
>=20
>=20
> BestRegards
> Fu Siyuan
>=20
>=20
> > -----Original Message-----
> > From: Li, Songpeng
> > Sent: Tuesday, September 25, 2018 11:29 AM
> > To: edk2-devel@lists.01.org
> > Cc: Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> > Subject: [PATCH] NetworkPkg: fix read memory access overflow in
> HTTPBoot.
> >
> > The input param String of AsciiStrStr() requires a pointer to
> >  Null-terminated string, however in HttpTcpReceiveHeader() and
> >  HttpUtilitiesParse(), the Buffersize before AllocateZeroPool()
> >  is equal to the size of TCP header, after the CopyMem(), it
> >  might not end with Null-terminator. It might cause memory
> >  access overflow.
> >
> > Cc: Fu Siyuan <siyuan.fu@intel.com>
> > Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1204
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Songpeng Li <songpeng.li@intel.com>
> > ---
> >  NetworkPkg/HttpDxe/HttpProto.c                      | 4 ++--
> >  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c | 4 +++-
> >  2 files changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/NetworkPkg/HttpDxe/HttpProto.c
> > b/NetworkPkg/HttpDxe/HttpProto.c
> > index 94f89f5665..c729f76eff 100644
> > --- a/NetworkPkg/HttpDxe/HttpProto.c
> > +++ b/NetworkPkg/HttpDxe/HttpProto.c
> > @@ -1917,7 +1917,7 @@ HttpTcpReceiveHeader (
> >        // Append the response string.
> >        //
> >        *BufferSize =3D *SizeofHeaders + Fragment.Len;
> > -      Buffer      =3D AllocateZeroPool (*BufferSize);
> > +      Buffer      =3D AllocateZeroPool (*BufferSize + 1);
> >        if (Buffer =3D=3D NULL) {
> >          Status =3D EFI_OUT_OF_RESOURCES;
> >          return Status;
> > @@ -2016,7 +2016,7 @@ HttpTcpReceiveHeader (
> >        // Append the response string.
> >        //
> >        *BufferSize =3D *SizeofHeaders + Fragment.Len;
> > -      Buffer      =3D AllocateZeroPool (*BufferSize);
> > +      Buffer      =3D AllocateZeroPool (*BufferSize + 1);
> >        if (Buffer =3D=3D NULL) {
> >          Status =3D EFI_OUT_OF_RESOURCES;
> >          return Status;
> > diff --git a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> > b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> > index a9a1c7c586..2292b52537 100644
> > --- a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> > +++ b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
> > @@ -298,6 +298,7 @@ HttpUtilitiesParse (
> >    CHAR8                     *FieldName;
> >    CHAR8                     *FieldValue;
> >    UINTN                     Index;
> > +  UINTN                     HttpBufferSize;
> >
> >    Status          =3D EFI_SUCCESS;
> >    TempHttpMessage =3D NULL;
> > @@ -311,7 +312,8 @@ HttpUtilitiesParse (
> >      return EFI_INVALID_PARAMETER;
> >    }
> >
> > -  TempHttpMessage =3D AllocateZeroPool (HttpMessageSize);
> > +  HttpBufferSize =3D HttpMessageSize + 1;
> > +  TempHttpMessage =3D AllocateZeroPool (HttpBufferSize);
> >    if (TempHttpMessage =3D=3D NULL) {
> >      return EFI_OUT_OF_RESOURCES;
> >    }
> > --
> > 2.18.0.windows.1