tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NetworkPkg/HttpUtilitiesDxe: fix read memory access overflow. 

The input param String of AsciiStrStr() requires a pointer to
 Null-terminated string, however in HttpUtilitiesParse(),
 the Buffersize before AllocateZeroPool() is equal to the size
 of TCP header, after the CopyMem(), it might not end with
 Null-terminator. It might cause memory access overflow.

Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Songpeng Li <songpeng.li@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
This commit is contained in:
Li, Songpeng 2018-09-28 11:02:35 +08:00 committed by Fu Siyuan
parent 2239ea71b6
commit 130e629284
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
View File

@ -298,6 +298,7 @@ HttpUtilitiesParse (
CHAR8 *FieldName; CHAR8 *FieldName;
CHAR8 *FieldValue; CHAR8 *FieldValue;
UINTN Index; UINTN Index;
UINTN HttpBufferSize;
Status = EFI_SUCCESS; Status = EFI_SUCCESS;
TempHttpMessage = NULL; TempHttpMessage = NULL;
@ -311,12 +312,17 @@ HttpUtilitiesParse (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
TempHttpMessage = AllocateZeroPool (HttpMessageSize); //
// Append the http response string along with a Null-terminator.
//
HttpBufferSize = HttpMessageSize + 1;
TempHttpMessage = AllocatePool (HttpBufferSize);
if (TempHttpMessage == NULL) { if (TempHttpMessage == NULL) {
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize); CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize);
*(TempHttpMessage + HttpMessageSize) = '\0';
// //
// Get header number // Get header number