From 130e62928449ba35375282e045aecb8cc29697ec Mon Sep 17 00:00:00 2001 From: "Li, Songpeng" Date: Fri, 28 Sep 2018 11:02:35 +0800 Subject: [PATCH] NetworkPkg/HttpUtilitiesDxe: fix read memory access overflow. The input param String of AsciiStrStr() requires a pointer to Null-terminated string, however in HttpUtilitiesParse(), the Buffersize before AllocateZeroPool() is equal to the size of TCP header, after the CopyMem(), it might not end with Null-terminator. It might cause memory access overflow. Cc: Fu Siyuan Cc: Wu Jiaxin Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Songpeng Li Reviewed-by: Fu Siyuan --- NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c index a9a1c7c586..b0e3e7f081 100644 --- a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c +++ b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c @@ -298,6 +298,7 @@ HttpUtilitiesParse ( CHAR8 *FieldName; CHAR8 *FieldValue; UINTN Index; + UINTN HttpBufferSize; Status = EFI_SUCCESS; TempHttpMessage = NULL; @@ -311,12 +312,17 @@ HttpUtilitiesParse ( return EFI_INVALID_PARAMETER; } - TempHttpMessage = AllocateZeroPool (HttpMessageSize); + // + // Append the http response string along with a Null-terminator. + // + HttpBufferSize = HttpMessageSize + 1; + TempHttpMessage = AllocatePool (HttpBufferSize); if (TempHttpMessage == NULL) { return EFI_OUT_OF_RESOURCES; } CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize); + *(TempHttpMessage + HttpMessageSize) = '\0'; // // Get header number