From 2239ea71b65072ce3c76d56e7074d2ee60ba1762 Mon Sep 17 00:00:00 2001 From: Songpeng Li Date: Fri, 28 Sep 2018 11:02:34 +0800 Subject: [PATCH] NetworkPkg/HttpDxe: fix read memory access overflow in HTTPBoot. The input param String of AsciiStrStr() requires a pointer to Null-terminated string, however in HttpTcpReceiveHeader(), the Buffersize before AllocateZeroPool() is equal to the size of TCP header, after the CopyMem(), it might not end with Null-terminator. It might cause memory access overflow. Cc: Fu Siyuan Cc: Wu Jiaxin Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Songpeng Li Reviewed-by: Fu Siyuan --- NetworkPkg/HttpDxe/HttpProto.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.c index 94f89f5665..7d69429be7 100644 --- a/NetworkPkg/HttpDxe/HttpProto.c +++ b/NetworkPkg/HttpDxe/HttpProto.c @@ -1914,10 +1914,10 @@ HttpTcpReceiveHeader ( } // - // Append the response string. + // Append the response string along with a Null-terminator. // *BufferSize = *SizeofHeaders + Fragment.Len; - Buffer = AllocateZeroPool (*BufferSize); + Buffer = AllocatePool (*BufferSize + 1); if (Buffer == NULL) { Status = EFI_OUT_OF_RESOURCES; return Status; @@ -1933,6 +1933,7 @@ HttpTcpReceiveHeader ( Fragment.Bulk, Fragment.Len ); + *(Buffer + *BufferSize) = '\0'; *HttpHeaders = Buffer; *SizeofHeaders = *BufferSize; @@ -2013,10 +2014,10 @@ HttpTcpReceiveHeader ( } // - // Append the response string. + // Append the response string along with a Null-terminator. // *BufferSize = *SizeofHeaders + Fragment.Len; - Buffer = AllocateZeroPool (*BufferSize); + Buffer = AllocatePool (*BufferSize + 1); if (Buffer == NULL) { Status = EFI_OUT_OF_RESOURCES; return Status; @@ -2032,6 +2033,7 @@ HttpTcpReceiveHeader ( Fragment.Bulk, Fragment.Len ); + *(Buffer + *BufferSize) = '\0'; *HttpHeaders = Buffer; *SizeofHeaders = *BufferSize;