From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ting.ye@intel.com>
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 2AEF6818F0
 for <edk2-devel@lists.01.org>; Mon, 26 Dec 2016 00:00:20 -0800 (PST)
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
 by orsmga104.jf.intel.com with ESMTP; 26 Dec 2016 00:00:19 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.33,404,1477983600"; d="scan'208";a="1104263907"
Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202])
 by fmsmga002.fm.intel.com with ESMTP; 26 Dec 2016 00:00:19 -0800
Received: from fmsmsx120.amr.corp.intel.com (10.18.124.208) by
 fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Mon, 26 Dec 2016 00:00:19 -0800
Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by
 fmsmsx120.amr.corp.intel.com (10.18.124.208) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Mon, 26 Dec 2016 00:00:18 -0800
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by
 SHSMSX101.ccr.corp.intel.com ([169.254.1.177]) with mapi id 14.03.0248.002;
 Mon, 26 Dec 2016 16:00:17 +0800
From: "Ye, Ting" <ting.ye@intel.com>
To: "Wu, Jiaxin" <jiaxin.wu@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Wu, Hao A" <hao.a.wu@intel.com>, "Fu, Siyuan" <siyuan.fu@intel.com>,
 "Wu, Jiaxin" <jiaxin.wu@intel.com>
Thread-Topic: [edk2] [Patch] NetworkPkg/HttpDxe: Fix the potential NULL
 dereference
Thread-Index: AQHSXMq9ImilZT6DZkupuAXGz/efQKEZ4ocA
Date: Mon, 26 Dec 2016 08:00:17 +0000
Message-ID: <BC0C045B0E2A584CA4575E779FA2C12A1A8A21F7@SHSMSX103.ccr.corp.intel.com>
References: <1482462888-305872-1-git-send-email-jiaxin.wu@intel.com>
In-Reply-To: <1482462888-305872-1-git-send-email-jiaxin.wu@intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [Patch] NetworkPkg/HttpDxe: Fix the potential NULL dereference
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Dec 2016 08:00:20 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Ye Ting <ting.ye@intel.com>=20

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Jiax=
in Wu
Sent: Friday, December 23, 2016 11:15 AM
To: edk2-devel@lists.01.org
Cc: Ye, Ting <ting.ye@intel.com>; Wu, Hao A <hao.a.wu@intel.com>; Fu, Siyua=
n <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
Subject: [edk2] [Patch] NetworkPkg/HttpDxe: Fix the potential NULL derefere=
nce

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Hao A <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 NetworkPkg/HttpDxe/HttpImpl.c     |  4 ++-
 NetworkPkg/HttpDxe/HttpProto.c    |  6 +++-
 NetworkPkg/HttpDxe/HttpsSupport.c | 74 +++++++++++++++++++++++++++--------=
----
 3 files changed, 60 insertions(+), 24 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c =
index 77aa64a..d19f733 100644
--- a/NetworkPkg/HttpDxe/HttpImpl.c
+++ b/NetworkPkg/HttpDxe/HttpImpl.c
@@ -589,14 +589,16 @@ EfiHttpRequest (
     }
   }
=20
   Status =3D HttpGenRequestMessage (HttpMsg, FileUrl, &RequestMsg, &Reques=
tMsgSize);
=20
-  if (EFI_ERROR (Status)) {
+  if (EFI_ERROR (Status) || NULL =3D=3D RequestMsg) {
     goto Error3;
   }
=20
+  ASSERT (RequestMsg !=3D NULL);
+
   //
   // Every request we insert a TxToken and a response call would remove th=
e TxToken.
   // In cases of PUT/POST, after an initial request-response pair, we woul=
d do a
   // continuous request without a response call. So, in such cases, where =
Request
   // structure is NULL, we would not insert a TxToken.
diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.=
c index 36c61e2..199d575 100644
--- a/NetworkPkg/HttpDxe/HttpProto.c
+++ b/NetworkPkg/HttpDxe/HttpProto.c
@@ -1653,10 +1653,12 @@ HttpTcpTransmit (
   CHAR8                     *RequestMsg;
   CHAR8                     *Url;
   UINTN                     UrlSize;
   UINTN                     RequestMsgSize;
=20
+  RequestMsg =3D NULL;
+
   ValueInItem =3D (HTTP_TOKEN_WRAP *) Item->Value;
   if (ValueInItem->TcpWrap.IsTxDone) {
     return EFI_SUCCESS;
   }
=20
@@ -1680,14 +1682,16 @@ HttpTcpTransmit (
                  &RequestMsg,
                  &RequestMsgSize
                  );
   FreePool (Url);
=20
-  if (EFI_ERROR (Status)){
+  if (EFI_ERROR (Status) || NULL =3D=3D RequestMsg){
     return Status;
   }
=20
+  ASSERT (RequestMsg !=3D NULL);
+
   //
   // Transmit the request message.
   //
   Status =3D HttpTransmitTcp (
              ValueInItem->HttpInstance, diff --git a/NetworkPkg/HttpDxe/Ht=
tpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 478a9e0..c9e6988 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -399,37 +399,41 @@ TlsConfigCertificate (
                    NULL,
                    &CACertSize,
                    NULL
                    );
=20
-  if (Status =3D=3D EFI_BUFFER_TOO_SMALL) {
+  if (EFI_ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) {
+    return Status;
+  }
+
+  //
+  // Allocate buffer and read the config variable.
+  //
+  CACert =3D AllocatePool (CACertSize);
+  if (CACert =3D=3D NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  Status =3D gRT->GetVariable (
+                  EFI_TLS_CA_CERTIFICATE_VARIABLE,
+                  &gEfiTlsCaCertificateGuid,
+                  NULL,
+                  &CACertSize,
+                  CACert
+                  );
+  if (EFI_ERROR (Status)) {
     //
-    // Allocate buffer and read the config variable.
+    // GetVariable still error or the variable is corrupted.
+    // Fall back to the default value.
     //
-    CACert =3D AllocatePool (CACertSize);
-    if (CACert =3D=3D NULL) {
-      return EFI_OUT_OF_RESOURCES;
-    }
-
-    Status =3D gRT->GetVariable (
-                    EFI_TLS_CA_CERTIFICATE_VARIABLE,
-                    &gEfiTlsCaCertificateGuid,
-                    NULL,
-                    &CACertSize,
-                    CACert
-                    );
-    if (EFI_ERROR (Status)) {
-      //
-      // GetVariable still error or the variable is corrupted.
-      // Fall back to the default value.
-      //
-      FreePool (CACert);
+    FreePool (CACert);
=20
-      return EFI_NOT_FOUND;
-    }
+    return EFI_NOT_FOUND;
   }
=20
+  ASSERT (CACert !=3D NULL);
+
   //
   // Enumerate all data and erasing the target item.
   //
   ItemDataSize =3D (UINT32) CACertSize;
   CertList =3D (EFI_SIGNATURE_LIST *) CACert; @@ -1035,10 +1039,15 @@ TlsC=
onnectSession (
   //
   // Transmit ClientHello
   //
   PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize);
   DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET_BUF=
_TAIL);
+  if (DataOut =3D=3D NULL) {
+    FreePool (BufferOut);
+    return EFI_OUT_OF_RESOURCES;
+  }
+ =20
   CopyMem (DataOut, BufferOut, BufferOutSize);
   Status =3D TlsCommonTransmit (HttpInstance, PacketOut);
=20
   FreePool (BufferOut);
   NetbufFree (PacketOut);
@@ -1105,19 +1114,25 @@ TlsConnectSession (
     }
=20
     FreePool (BufferIn);
=20
     if (EFI_ERROR (Status)) {
+      FreePool (BufferOut);
       return Status;
     }
=20
     if (BufferOutSize !=3D 0) {
       //
       // Transmit the response packet.
       //
       PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize);
       DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET=
_BUF_TAIL);
+      if (DataOut =3D=3D NULL) {
+        FreePool (BufferOut);
+        return EFI_OUT_OF_RESOURCES;
+      }
+     =20
       CopyMem (DataOut, BufferOut, BufferOutSize);
=20
       Status =3D TlsCommonTransmit (HttpInstance, PacketOut);
=20
       NetbufFree (PacketOut);
@@ -1265,10 +1280,15 @@ TlsCloseSession (
     return Status;
   }
=20
   PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize);
   DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET_BUF=
_TAIL);
+  if (DataOut =3D=3D NULL) {
+    FreePool (BufferOut);
+    return EFI_OUT_OF_RESOURCES;
+  }
+ =20
   CopyMem (DataOut, BufferOut, BufferOutSize);
=20
   Status =3D TlsCommonTransmit (HttpInstance, PacketOut);
=20
   FreePool (BufferOut);
@@ -1538,10 +1558,15 @@ HttpsReceive (
         }
=20
         if (BufferOutSize !=3D 0) {
           PacketOut =3D NetbufAlloc ((UINT32)BufferOutSize);
           DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize,=
 NET_BUF_TAIL);
+          if (DataOut =3D=3D NULL) {
+            FreePool (BufferOut);
+            return EFI_OUT_OF_RESOURCES;
+          }
+         =20
           CopyMem (DataOut, BufferOut, BufferOutSize);
=20
           Status =3D TlsCommonTransmit (HttpInstance, PacketOut);
=20
           NetbufFree (PacketOut);
@@ -1625,10 +1650,15 @@ HttpsReceive (
     }
=20
     if (BufferOutSize !=3D 0) {
       PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize);
       DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET=
_BUF_TAIL);
+      if (DataOut =3D=3D NULL) {
+        FreePool (BufferOut);
+        return EFI_OUT_OF_RESOURCES;
+      }
+     =20
       CopyMem (DataOut, BufferOut, BufferOutSize);
=20
       Status =3D TlsCommonTransmit (HttpInstance, PacketOut);
=20
       NetbufFree (PacketOut);
--
1.9.5.msysgit.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel