From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.88; helo=mga01.intel.com; envelope-from=siyuan.fu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5EDF921154880 for ; Mon, 24 Sep 2018 20:47:33 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Sep 2018 20:47:33 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,300,1534834800"; d="scan'208";a="91617309" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga004.fm.intel.com with ESMTP; 24 Sep 2018 20:47:12 -0700 Received: from fmsmsx118.amr.corp.intel.com (10.18.116.18) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 24 Sep 2018 20:47:12 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx118.amr.corp.intel.com (10.18.116.18) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 24 Sep 2018 20:47:11 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.245]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.37]) with mapi id 14.03.0319.002; Tue, 25 Sep 2018 11:43:19 +0800 From: "Fu, Siyuan" To: "Li, Songpeng" , "edk2-devel@lists.01.org" CC: "Wu, Jiaxin" Thread-Topic: [PATCH] NetworkPkg: fix read memory access overflow in HTTPBoot. Thread-Index: AQHUVIAG/0an3UDK/EGYFXE3lwISO6UAWZiA Date: Tue, 25 Sep 2018 03:43:19 +0000 Message-ID: References: <20180925032845.18836-1-songpeng.li@intel.com> In-Reply-To: <20180925032845.18836-1-songpeng.li@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTI5Y2EyMjUtZmFhNy00MzQ5LTk5OTEtOTBhYmVjMzQxMDBiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiQzJlZ0I0UUEyaG1renlBVDlsUlwvQWxHTHJsRmlGN0VGamg0S3BDMklRY0xoWFhrSktFS0xIRGNzVHBJUWw4Rm0ifQ== dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] NetworkPkg: fix read memory access overflow in HTTPBoot. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2018 03:47:33 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, Songpeng The change is ok with me while I have one comment for the original Allocate= ZeroPool() in these places. Since there will be always a CopyMem() to fill = up data content to the new allocated buffer, there is no need to use Alloca= teZeroPool(), just AllocatePool() and adding null terminator should be enou= gh. This will save the unnecessary ZeroMem() time cost for better performan= ce. Thanks. BestRegards Fu Siyuan > -----Original Message----- > From: Li, Songpeng > Sent: Tuesday, September 25, 2018 11:29 AM > To: edk2-devel@lists.01.org > Cc: Fu, Siyuan ; Wu, Jiaxin > Subject: [PATCH] NetworkPkg: fix read memory access overflow in HTTPBoot. >=20 > The input param String of AsciiStrStr() requires a pointer to > Null-terminated string, however in HttpTcpReceiveHeader() and > HttpUtilitiesParse(), the Buffersize before AllocateZeroPool() > is equal to the size of TCP header, after the CopyMem(), it > might not end with Null-terminator. It might cause memory > access overflow. >=20 > Cc: Fu Siyuan > Cc: Wu Jiaxin > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1204 > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Songpeng Li > --- > NetworkPkg/HttpDxe/HttpProto.c | 4 ++-- > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c | 4 +++- > 2 files changed, 5 insertions(+), 3 deletions(-) >=20 > diff --git a/NetworkPkg/HttpDxe/HttpProto.c > b/NetworkPkg/HttpDxe/HttpProto.c > index 94f89f5665..c729f76eff 100644 > --- a/NetworkPkg/HttpDxe/HttpProto.c > +++ b/NetworkPkg/HttpDxe/HttpProto.c > @@ -1917,7 +1917,7 @@ HttpTcpReceiveHeader ( > // Append the response string. > // > *BufferSize =3D *SizeofHeaders + Fragment.Len; > - Buffer =3D AllocateZeroPool (*BufferSize); > + Buffer =3D AllocateZeroPool (*BufferSize + 1); > if (Buffer =3D=3D NULL) { > Status =3D EFI_OUT_OF_RESOURCES; > return Status; > @@ -2016,7 +2016,7 @@ HttpTcpReceiveHeader ( > // Append the response string. > // > *BufferSize =3D *SizeofHeaders + Fragment.Len; > - Buffer =3D AllocateZeroPool (*BufferSize); > + Buffer =3D AllocateZeroPool (*BufferSize + 1); > if (Buffer =3D=3D NULL) { > Status =3D EFI_OUT_OF_RESOURCES; > return Status; > diff --git a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c > b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c > index a9a1c7c586..2292b52537 100644 > --- a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c > +++ b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c > @@ -298,6 +298,7 @@ HttpUtilitiesParse ( > CHAR8 *FieldName; > CHAR8 *FieldValue; > UINTN Index; > + UINTN HttpBufferSize; >=20 > Status =3D EFI_SUCCESS; > TempHttpMessage =3D NULL; > @@ -311,7 +312,8 @@ HttpUtilitiesParse ( > return EFI_INVALID_PARAMETER; > } >=20 > - TempHttpMessage =3D AllocateZeroPool (HttpMessageSize); > + HttpBufferSize =3D HttpMessageSize + 1; > + TempHttpMessage =3D AllocateZeroPool (HttpBufferSize); > if (TempHttpMessage =3D=3D NULL) { > return EFI_OUT_OF_RESOURCES; > } > -- > 2.18.0.windows.1