From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.115; helo=mga14.intel.com; envelope-from=siyuan.fu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C58A2202E5351 for ; Wed, 27 Jun 2018 23:45:48 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jun 2018 23:45:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,282,1526367600"; d="scan'208";a="62115871" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by fmsmga002.fm.intel.com with ESMTP; 27 Jun 2018 23:45:48 -0700 Received: from FMSMSX109.amr.corp.intel.com (10.18.116.9) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 27 Jun 2018 23:45:47 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx109.amr.corp.intel.com (10.18.116.9) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 27 Jun 2018 23:45:47 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.51]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.116]) with mapi id 14.03.0319.002; Thu, 28 Jun 2018 14:45:45 +0800 From: "Fu, Siyuan" To: "Wu, Jiaxin" , "edk2-devel@lists.01.org" CC: "Ye, Ting" Thread-Topic: [Patch] NetworkPkg/HttpDxe: Fix the bug when parsing HTTP(S) message body. Thread-Index: AQHUDescQ+VqeDFELEKeq/baNdSCt6R1O16Q Date: Thu, 28 Jun 2018 06:45:45 +0000 Message-ID: References: <20180627074721.972-1-Jiaxin.wu@intel.com> In-Reply-To: <20180627074721.972-1-Jiaxin.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMmFkZmFiYjktMjBjNS00ODY0LTlmNzgtMzNmN2Q1NGUyMTQ2IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiZEJoTTU1MVdlWHY1TjNpMVpXbmRlZ29ZVDhIcklZYjFramJBRnd1Y3JaaXhSNWkzRm9zU1wvdGxoYURCNmRKODkifQ== dlp-product: dlpe-windows dlp-version: 11.0.200.100 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] NetworkPkg/HttpDxe: Fix the bug when parsing HTTP(S) message body. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2018 06:45:49 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Fu Siyuan > -----Original Message----- > From: Wu, Jiaxin > Sent: Wednesday, June 27, 2018 3:47 PM > To: edk2-devel@lists.01.org > Cc: Ye, Ting ; Fu, Siyuan ; Wu, > Jiaxin > Subject: [Patch] NetworkPkg/HttpDxe: Fix the bug when parsing HTTP(S) > message body. >=20 > HttpBodyParserCallback function is to parse the HTTP(S) message body so a= s > to > confirm whether there is the next message header. But it doesn't record > the > parsing message data/length correctly. >=20 > This patch is refine the parsing logic so as to fix the potential failure= . >=20 > Cc: Ye Ting > Cc: Fu Siyuan > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Wu Jiaxin > --- > NetworkPkg/HttpDxe/HttpImpl.c | 114 +++++++++++++++++---------------- > NetworkPkg/HttpDxe/HttpProto.c | 10 +++ > NetworkPkg/HttpDxe/HttpProto.h | 12 +++- > 3 files changed, 79 insertions(+), 57 deletions(-) >=20 > diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.= c > index a2af59674a..7f601db5c6 100644 > --- a/NetworkPkg/HttpDxe/HttpImpl.c > +++ b/NetworkPkg/HttpDxe/HttpImpl.c > @@ -914,10 +914,11 @@ HttpBodyParserCallback ( > IN CHAR8 *Data, > IN UINTN Length, > IN VOID *Context > ) > { > + HTTP_CALLBACK_DATA *CallbackData; > HTTP_TOKEN_WRAP *Wrap; > UINTN BodyLength; > CHAR8 *Body; >=20 > if (EventType !=3D BodyParseEventOnComplete) { > @@ -926,24 +927,21 @@ HttpBodyParserCallback ( >=20 > if (Data =3D=3D NULL || Length !=3D 0 || Context =3D=3D NULL) { > return EFI_SUCCESS; > } >=20 > - Wrap =3D (HTTP_TOKEN_WRAP *) Context; > - Body =3D Wrap->HttpToken->Message->Body; > - BodyLength =3D Wrap->HttpToken->Message->BodyLength; > + CallbackData =3D (HTTP_CALLBACK_DATA *) Context; > + > + Wrap =3D (HTTP_TOKEN_WRAP *) (CallbackData->Wrap); > + Body =3D CallbackData->ParseData; > + BodyLength =3D CallbackData->ParseDataLength; > + > if (Data < Body + BodyLength) { > Wrap->HttpInstance->NextMsg =3D Data; > } else { > Wrap->HttpInstance->NextMsg =3D NULL; > } > - > - > - // > - // Free Tx4Token or Tx6Token since already received corrsponding HTTP > response. > - // > - FreePool (Wrap); >=20 > return EFI_SUCCESS; > } >=20 > /** > @@ -1189,33 +1187,43 @@ HttpResponseWorker ( > HttpInstance->Method, > HttpMsg->Data.Response->StatusCode, > HttpMsg->HeaderCount, > HttpMsg->Headers, > HttpBodyParserCallback, > - (VOID *) ValueInItem, > + (VOID *) (&HttpInstance->CallbackData), > &HttpInstance->MsgParser > ); > if (EFI_ERROR (Status)) { > goto Error2; > } >=20 > // > // Check whether we received a complete HTTP message. > // > if (HttpInstance->CacheBody !=3D NULL) { > + // > + // Record the CallbackData data. > + // > + HttpInstance->CallbackData.Wrap =3D (VOID *) Wrap; > + HttpInstance->CallbackData.ParseData =3D (VOID *) HttpInstance- > >CacheBody; > + HttpInstance->CallbackData.ParseDataLength =3D HttpInstance- > >CacheLen; > + > + // > + // Parse message with CallbackData data. > + // > Status =3D HttpParseMessageBody (HttpInstance->MsgParser, > HttpInstance->CacheLen, HttpInstance->CacheBody); > if (EFI_ERROR (Status)) { > goto Error2; > } > + } >=20 > - if (HttpIsMessageComplete (HttpInstance->MsgParser)) { > - // > - // Free the MsgParse since we already have a full HTTP message= . > - // > - HttpFreeMsgParser (HttpInstance->MsgParser); > - HttpInstance->MsgParser =3D NULL; > - } > + if (HttpIsMessageComplete (HttpInstance->MsgParser)) { > + // > + // Free the MsgParse since we already have a full HTTP message. > + // > + HttpFreeMsgParser (HttpInstance->MsgParser); > + HttpInstance->MsgParser =3D NULL; > } > } >=20 > if ((HttpMsg->Body =3D=3D NULL) || (HttpMsg->BodyLength =3D=3D 0)) { > Status =3D EFI_SUCCESS; > @@ -1330,16 +1338,30 @@ HttpResponseWorker ( > if (EFI_ERROR (Status)) { > goto Error2; > } >=20 > // > - // Check whether we receive a complete HTTP message. > + // Process the received the body packet. > + // > + HttpMsg->BodyLength =3D MIN (Fragment.Len, (UINT32) HttpMsg- > >BodyLength); > + > + CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength); > + > + // > + // Record the CallbackData data. > + // > + HttpInstance->CallbackData.Wrap =3D (VOID *) Wrap; > + HttpInstance->CallbackData.ParseData =3D HttpMsg->Body; > + HttpInstance->CallbackData.ParseDataLength =3D HttpMsg->BodyLength; > + > + // > + // Parse Body with CallbackData data. > // > Status =3D HttpParseMessageBody ( > HttpInstance->MsgParser, > - (UINTN) Fragment.Len, > - (CHAR8 *) Fragment.Bulk > + HttpMsg->BodyLength, > + HttpMsg->Body > ); > if (EFI_ERROR (Status)) { > goto Error2; > } >=20 > @@ -1350,51 +1372,31 @@ HttpResponseWorker ( > HttpFreeMsgParser (HttpInstance->MsgParser); > HttpInstance->MsgParser =3D NULL; > } >=20 > // > - // We receive part of header of next HTTP msg. > + // Check whether there is the next message header in the HttpMsg- > >Body. > // > if (HttpInstance->NextMsg !=3D NULL) { > - HttpMsg->BodyLength =3D MIN ((UINTN) HttpInstance->NextMsg - (UINT= N) > Fragment.Bulk, HttpMsg->BodyLength); > - CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength); > - > - HttpInstance->CacheLen =3D Fragment.Len - HttpMsg->BodyLength; > - if (HttpInstance->CacheLen !=3D 0) { > - if (HttpInstance->CacheBody !=3D NULL) { > - FreePool (HttpInstance->CacheBody); > - } > - > - HttpInstance->CacheBody =3D AllocateZeroPool (HttpInstance- > >CacheLen); > - if (HttpInstance->CacheBody =3D=3D NULL) { > - Status =3D EFI_OUT_OF_RESOURCES; > - goto Error2; > - } > - > - CopyMem (HttpInstance->CacheBody, Fragment.Bulk + HttpMsg- > >BodyLength, HttpInstance->CacheLen); > - HttpInstance->CacheOffset =3D 0; > + HttpMsg->BodyLength =3D HttpInstance->NextMsg - (CHAR8 *) HttpMsg- > >Body; > + } >=20 > - HttpInstance->NextMsg =3D HttpInstance->CacheBody + ((UINTN) > HttpInstance->NextMsg - (UINTN) (Fragment.Bulk + HttpMsg->BodyLength)); > + HttpInstance->CacheLen =3D Fragment.Len - HttpMsg->BodyLength; > + if (HttpInstance->CacheLen !=3D 0) { > + if (HttpInstance->CacheBody !=3D NULL) { > + FreePool (HttpInstance->CacheBody); > } > - } else { > - HttpMsg->BodyLength =3D MIN (Fragment.Len, (UINT32) HttpMsg- > >BodyLength); > - CopyMem (HttpMsg->Body, Fragment.Bulk, HttpMsg->BodyLength); > - HttpInstance->CacheLen =3D Fragment.Len - HttpMsg->BodyLength; > - if (HttpInstance->CacheLen !=3D 0) { > - if (HttpInstance->CacheBody !=3D NULL) { > - FreePool (HttpInstance->CacheBody); > - } > - > - HttpInstance->CacheBody =3D AllocateZeroPool (HttpInstance- > >CacheLen); > - if (HttpInstance->CacheBody =3D=3D NULL) { > - Status =3D EFI_OUT_OF_RESOURCES; > - goto Error2; > - } > - > - CopyMem (HttpInstance->CacheBody, Fragment.Bulk + HttpMsg- > >BodyLength, HttpInstance->CacheLen); > - HttpInstance->CacheOffset =3D 0; > + > + HttpInstance->CacheBody =3D AllocateZeroPool (HttpInstance->CacheL= en); > + if (HttpInstance->CacheBody =3D=3D NULL) { > + Status =3D EFI_OUT_OF_RESOURCES; > + goto Error2; > } > + > + CopyMem (HttpInstance->CacheBody, Fragment.Bulk + HttpMsg- > >BodyLength, HttpInstance->CacheLen); > + HttpInstance->CacheOffset =3D 0; > + HttpInstance->NextMsg =3D HttpInstance->CacheBody; > } >=20 > if (Fragment.Bulk !=3D NULL) { > FreePool (Fragment.Bulk); > Fragment.Bulk =3D NULL; > diff --git a/NetworkPkg/HttpDxe/HttpProto.c > b/NetworkPkg/HttpDxe/HttpProto.c > index 35c4a166c4..6dc292d5cc 100644 > --- a/NetworkPkg/HttpDxe/HttpProto.c > +++ b/NetworkPkg/HttpDxe/HttpProto.c > @@ -194,11 +194,21 @@ HttpTcpReceiveNotifyDpc ( > if (UsingIpv6) { > Length =3D (UINTN) Wrap- > >TcpWrap.Rx6Data.FragmentTable[0].FragmentLength; > } else { > Length =3D (UINTN) Wrap- > >TcpWrap.Rx4Data.FragmentTable[0].FragmentLength; > } > + > + // > + // Record the CallbackData data. > + // > + HttpInstance->CallbackData.Wrap =3D (VOID *) Wrap; > + HttpInstance->CallbackData.ParseData =3D Wrap->HttpToken->Message->Bod= y; > + HttpInstance->CallbackData.ParseDataLength =3D Length; >=20 > + // > + // Parse Body with CallbackData data. > + // > Status =3D HttpParseMessageBody ( > HttpInstance->MsgParser, > Length, > Wrap->HttpToken->Message->Body > ); > diff --git a/NetworkPkg/HttpDxe/HttpProto.h > b/NetworkPkg/HttpDxe/HttpProto.h > index 04d36aaca0..4d96792ba7 100644 > --- a/NetworkPkg/HttpDxe/HttpProto.h > +++ b/NetworkPkg/HttpDxe/HttpProto.h > @@ -1,9 +1,9 @@ > /** @file > The header files of miscellaneous routines for HttpDxe driver. >=20 > -Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
> +Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the BS= D > License > which accompanies this distribution. The full text of the license may b= e > found at > http://opensource.org/licenses/bsd-license.php > @@ -89,10 +89,19 @@ typedef struct { > EFI_TLS_CONNECTION_END ConnectionEnd; > EFI_TLS_VERIFY VerifyMethod; > EFI_TLS_SESSION_STATE SessionState; > } TLS_CONFIG_DATA; >=20 > +// > +// Callback data for HTTP_PARSER_CALLBACK() > +// > +typedef struct { > + UINTN ParseDataLength; > + VOID *ParseData; > + VOID *Wrap; > +} HTTP_CALLBACK_DATA; > + > typedef struct _HTTP_PROTOCOL { > UINT32 Signature; > EFI_HTTP_PROTOCOL Http; > EFI_HANDLE Handle; > HTTP_SERVICE *Service; > @@ -147,10 +156,11 @@ typedef struct _HTTP_PROTOCOL { >=20 > // > // HTTP message-body parser. > // > VOID *MsgParser; > + HTTP_CALLBACK_DATA CallbackData; >=20 > EFI_HTTP_VERSION HttpVersion; > UINT32 TimeOutMillisec; > BOOLEAN LocalAddressIsIPv6; >=20 > -- > 2.17.1.windows.2