mirror of https://github.com/acidanthera/audk.git
NetworkPkg/HttpUtilitiesDxe: fix read memory access overflow.
The input param String of AsciiStrStr() requires a pointer to Null-terminated string, however in HttpUtilitiesParse(), the Buffersize before AllocateZeroPool() is equal to the size of TCP header, after the CopyMem(), it might not end with Null-terminator. It might cause memory access overflow. Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Songpeng Li <songpeng.li@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
This commit is contained in:
parent
2239ea71b6
commit
130e629284
|
@ -298,6 +298,7 @@ HttpUtilitiesParse (
|
|||
CHAR8 *FieldName;
|
||||
CHAR8 *FieldValue;
|
||||
UINTN Index;
|
||||
UINTN HttpBufferSize;
|
||||
|
||||
Status = EFI_SUCCESS;
|
||||
TempHttpMessage = NULL;
|
||||
|
@ -311,12 +312,17 @@ HttpUtilitiesParse (
|
|||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
TempHttpMessage = AllocateZeroPool (HttpMessageSize);
|
||||
//
|
||||
// Append the http response string along with a Null-terminator.
|
||||
//
|
||||
HttpBufferSize = HttpMessageSize + 1;
|
||||
TempHttpMessage = AllocatePool (HttpBufferSize);
|
||||
if (TempHttpMessage == NULL) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize);
|
||||
*(TempHttpMessage + HttpMessageSize) = '\0';
|
||||
|
||||
//
|
||||
// Get header number
|
||||
|
|
Loading…
Reference in New Issue