From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2AEF6818F0 for ; Mon, 26 Dec 2016 00:00:20 -0800 (PST) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga104.jf.intel.com with ESMTP; 26 Dec 2016 00:00:19 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,404,1477983600"; d="scan'208";a="1104263907" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga002.fm.intel.com with ESMTP; 26 Dec 2016 00:00:19 -0800 Received: from fmsmsx120.amr.corp.intel.com (10.18.124.208) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 26 Dec 2016 00:00:19 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx120.amr.corp.intel.com (10.18.124.208) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 26 Dec 2016 00:00:18 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.177]) with mapi id 14.03.0248.002; Mon, 26 Dec 2016 16:00:17 +0800 From: "Ye, Ting" To: "Wu, Jiaxin" , "edk2-devel@lists.01.org" CC: "Wu, Hao A" , "Fu, Siyuan" , "Wu, Jiaxin" Thread-Topic: [edk2] [Patch] NetworkPkg/HttpDxe: Fix the potential NULL dereference Thread-Index: AQHSXMq9ImilZT6DZkupuAXGz/efQKEZ4ocA Date: Mon, 26 Dec 2016 08:00:17 +0000 Message-ID: References: <1482462888-305872-1-git-send-email-jiaxin.wu@intel.com> In-Reply-To: <1482462888-305872-1-git-send-email-jiaxin.wu@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch] NetworkPkg/HttpDxe: Fix the potential NULL dereference X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Dec 2016 08:00:20 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ye Ting =20 -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Jiax= in Wu Sent: Friday, December 23, 2016 11:15 AM To: edk2-devel@lists.01.org Cc: Ye, Ting ; Wu, Hao A ; Fu, Siyua= n ; Wu, Jiaxin Subject: [edk2] [Patch] NetworkPkg/HttpDxe: Fix the potential NULL derefere= nce Cc: Ye Ting Cc: Fu Siyuan Cc: Wu Hao A Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin --- NetworkPkg/HttpDxe/HttpImpl.c | 4 ++- NetworkPkg/HttpDxe/HttpProto.c | 6 +++- NetworkPkg/HttpDxe/HttpsSupport.c | 74 +++++++++++++++++++++++++++--------= ---- 3 files changed, 60 insertions(+), 24 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c = index 77aa64a..d19f733 100644 --- a/NetworkPkg/HttpDxe/HttpImpl.c +++ b/NetworkPkg/HttpDxe/HttpImpl.c @@ -589,14 +589,16 @@ EfiHttpRequest ( } } =20 Status =3D HttpGenRequestMessage (HttpMsg, FileUrl, &RequestMsg, &Reques= tMsgSize); =20 - if (EFI_ERROR (Status)) { + if (EFI_ERROR (Status) || NULL =3D=3D RequestMsg) { goto Error3; } =20 + ASSERT (RequestMsg !=3D NULL); + // // Every request we insert a TxToken and a response call would remove th= e TxToken. // In cases of PUT/POST, after an initial request-response pair, we woul= d do a // continuous request without a response call. So, in such cases, where = Request // structure is NULL, we would not insert a TxToken. diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.= c index 36c61e2..199d575 100644 --- a/NetworkPkg/HttpDxe/HttpProto.c +++ b/NetworkPkg/HttpDxe/HttpProto.c @@ -1653,10 +1653,12 @@ HttpTcpTransmit ( CHAR8 *RequestMsg; CHAR8 *Url; UINTN UrlSize; UINTN RequestMsgSize; =20 + RequestMsg =3D NULL; + ValueInItem =3D (HTTP_TOKEN_WRAP *) Item->Value; if (ValueInItem->TcpWrap.IsTxDone) { return EFI_SUCCESS; } =20 @@ -1680,14 +1682,16 @@ HttpTcpTransmit ( &RequestMsg, &RequestMsgSize ); FreePool (Url); =20 - if (EFI_ERROR (Status)){ + if (EFI_ERROR (Status) || NULL =3D=3D RequestMsg){ return Status; } =20 + ASSERT (RequestMsg !=3D NULL); + // // Transmit the request message. // Status =3D HttpTransmitTcp ( ValueInItem->HttpInstance, diff --git a/NetworkPkg/HttpDxe/Ht= tpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c index 478a9e0..c9e6988 100644 --- a/NetworkPkg/HttpDxe/HttpsSupport.c +++ b/NetworkPkg/HttpDxe/HttpsSupport.c @@ -399,37 +399,41 @@ TlsConfigCertificate ( NULL, &CACertSize, NULL ); =20 - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + if (EFI_ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) { + return Status; + } + + // + // Allocate buffer and read the config variable. + // + CACert =3D AllocatePool (CACertSize); + if (CACert =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Status =3D gRT->GetVariable ( + EFI_TLS_CA_CERTIFICATE_VARIABLE, + &gEfiTlsCaCertificateGuid, + NULL, + &CACertSize, + CACert + ); + if (EFI_ERROR (Status)) { // - // Allocate buffer and read the config variable. + // GetVariable still error or the variable is corrupted. + // Fall back to the default value. // - CACert =3D AllocatePool (CACertSize); - if (CACert =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - Status =3D gRT->GetVariable ( - EFI_TLS_CA_CERTIFICATE_VARIABLE, - &gEfiTlsCaCertificateGuid, - NULL, - &CACertSize, - CACert - ); - if (EFI_ERROR (Status)) { - // - // GetVariable still error or the variable is corrupted. - // Fall back to the default value. - // - FreePool (CACert); + FreePool (CACert); =20 - return EFI_NOT_FOUND; - } + return EFI_NOT_FOUND; } =20 + ASSERT (CACert !=3D NULL); + // // Enumerate all data and erasing the target item. // ItemDataSize =3D (UINT32) CACertSize; CertList =3D (EFI_SIGNATURE_LIST *) CACert; @@ -1035,10 +1039,15 @@ TlsC= onnectSession ( // // Transmit ClientHello // PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize); DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET_BUF= _TAIL); + if (DataOut =3D=3D NULL) { + FreePool (BufferOut); + return EFI_OUT_OF_RESOURCES; + } + =20 CopyMem (DataOut, BufferOut, BufferOutSize); Status =3D TlsCommonTransmit (HttpInstance, PacketOut); =20 FreePool (BufferOut); NetbufFree (PacketOut); @@ -1105,19 +1114,25 @@ TlsConnectSession ( } =20 FreePool (BufferIn); =20 if (EFI_ERROR (Status)) { + FreePool (BufferOut); return Status; } =20 if (BufferOutSize !=3D 0) { // // Transmit the response packet. // PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize); DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET= _BUF_TAIL); + if (DataOut =3D=3D NULL) { + FreePool (BufferOut); + return EFI_OUT_OF_RESOURCES; + } + =20 CopyMem (DataOut, BufferOut, BufferOutSize); =20 Status =3D TlsCommonTransmit (HttpInstance, PacketOut); =20 NetbufFree (PacketOut); @@ -1265,10 +1280,15 @@ TlsCloseSession ( return Status; } =20 PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize); DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET_BUF= _TAIL); + if (DataOut =3D=3D NULL) { + FreePool (BufferOut); + return EFI_OUT_OF_RESOURCES; + } + =20 CopyMem (DataOut, BufferOut, BufferOutSize); =20 Status =3D TlsCommonTransmit (HttpInstance, PacketOut); =20 FreePool (BufferOut); @@ -1538,10 +1558,15 @@ HttpsReceive ( } =20 if (BufferOutSize !=3D 0) { PacketOut =3D NetbufAlloc ((UINT32)BufferOutSize); DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize,= NET_BUF_TAIL); + if (DataOut =3D=3D NULL) { + FreePool (BufferOut); + return EFI_OUT_OF_RESOURCES; + } + =20 CopyMem (DataOut, BufferOut, BufferOutSize); =20 Status =3D TlsCommonTransmit (HttpInstance, PacketOut); =20 NetbufFree (PacketOut); @@ -1625,10 +1650,15 @@ HttpsReceive ( } =20 if (BufferOutSize !=3D 0) { PacketOut =3D NetbufAlloc ((UINT32) BufferOutSize); DataOut =3D NetbufAllocSpace (PacketOut, (UINT32) BufferOutSize, NET= _BUF_TAIL); + if (DataOut =3D=3D NULL) { + FreePool (BufferOut); + return EFI_OUT_OF_RESOURCES; + } + =20 CopyMem (DataOut, BufferOut, BufferOutSize); =20 Status =3D TlsCommonTransmit (HttpInstance, PacketOut); =20 NetbufFree (PacketOut); -- 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel