NetworkPkg/HttpDxe: fix read memory access overflow in HTTPBoot.

The input param String of AsciiStrStr() requires a pointer to
 Null-terminated string, however in HttpTcpReceiveHeader(),
 the Buffersize before AllocateZeroPool() is equal to the size
 of TCP header, after the CopyMem(), it might not end with
 Null-terminator. It might cause memory access overflow.

Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Songpeng Li <songpeng.li@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>

NetworkPkg/HttpDxe/HttpProto.c

@@ -1914,10 +1914,10 @@ HttpTcpReceiveHeader (
       }
 
       //
-      // Append the response string.
+      // Append the response string along with a Null-terminator.
       //
       *BufferSize = *SizeofHeaders + Fragment.Len;
-      Buffer      = AllocateZeroPool (*BufferSize);
+      Buffer      = AllocatePool (*BufferSize + 1);
       if (Buffer == NULL) {
         Status = EFI_OUT_OF_RESOURCES;
         return Status;
@@ -1933,6 +1933,7 @@ HttpTcpReceiveHeader (
         Fragment.Bulk,
         Fragment.Len
         );
+      *(Buffer + *BufferSize) = '\0';
       *HttpHeaders   = Buffer;
       *SizeofHeaders = *BufferSize;
 
@@ -2013,10 +2014,10 @@ HttpTcpReceiveHeader (
       }
 
       //
-      // Append the response string.
+      // Append the response string along with a Null-terminator.
       //
       *BufferSize = *SizeofHeaders + Fragment.Len;
-      Buffer      = AllocateZeroPool (*BufferSize);
+      Buffer      = AllocatePool (*BufferSize + 1);
       if (Buffer == NULL) {
         Status = EFI_OUT_OF_RESOURCES;
         return Status;
@@ -2032,6 +2033,7 @@ HttpTcpReceiveHeader (
         Fragment.Bulk,
         Fragment.Len
         );
+      *(Buffer + *BufferSize) = '\0';
       *HttpHeaders   = Buffer;
       *SizeofHeaders = *BufferSize;