NetworkPkg/HttpUtilitiesDxe: fix read memory access overflow.

The input param String of AsciiStrStr() requires a pointer to
 Null-terminated string, however in HttpUtilitiesParse(),
 the Buffersize before AllocateZeroPool() is equal to the size
 of TCP header, after the CopyMem(), it might not end with
 Null-terminator. It might cause memory access overflow.

Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Songpeng Li <songpeng.li@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
This commit is contained in:
Li, Songpeng 2018-09-28 11:02:35 +08:00 committed by Fu Siyuan
parent 2239ea71b6
commit 130e629284
1 changed files with 7 additions and 1 deletions

View File

@ -298,6 +298,7 @@ HttpUtilitiesParse (
CHAR8 *FieldName;
CHAR8 *FieldValue;
UINTN Index;
UINTN HttpBufferSize;
Status = EFI_SUCCESS;
TempHttpMessage = NULL;
@ -311,12 +312,17 @@ HttpUtilitiesParse (
return EFI_INVALID_PARAMETER;
}
TempHttpMessage = AllocateZeroPool (HttpMessageSize);
//
// Append the http response string along with a Null-terminator.
//
HttpBufferSize = HttpMessageSize + 1;
TempHttpMessage = AllocatePool (HttpBufferSize);
if (TempHttpMessage == NULL) {
return EFI_OUT_OF_RESOURCES;
}
CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize);
*(TempHttpMessage + HttpMessageSize) = '\0';
//
// Get header number