NetworkPkg/HttpDxe: fix read memory access overflow in HTTPBoot.

The input param String of AsciiStrStr() requires a pointer to Null-terminated string, however in HttpTcpReceiveHeader(), the Buffersize before AllocateZeroPool() is equal to the size of TCP header, after the CopyMem(), it might not end with Null-terminator. It might cause memory access overflow. Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wu Jiaxin <jiaxin.wu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Songpeng Li <songpeng.li@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
author: Songpeng Li <songpeng.li@intel.com> 2018-09-28 11:02:34 +0800
committer: Fu Siyuan <siyuan.fu@intel.com> 2018-09-29 10:51:27 +0800
commit: 2239ea71b65072ce3c76d56e7074d2ee60ba1762 (patch)
tree: 888492f0da1d86f13710aed649f8dacb16c6704d /NetworkPkg
parent: b9cee524e6c1941b77b6780e19bd57052e53249c (diff)
download: edk2-2239ea71b65072ce3c76d56e7074d2ee60ba1762.zip
edk2-2239ea71b65072ce3c76d56e7074d2ee60ba1762.tar.gz
edk2-2239ea71b65072ce3c76d56e7074d2ee60ba1762.tar.bz2
1 files changed, 6 insertions, 4 deletions
diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.c
index 94f89f5..7d69429 100644
--- a/NetworkPkg/HttpDxe/HttpProto.c
+++ b/NetworkPkg/HttpDxe/HttpProto.c
@@ -1914,10 +1914,10 @@ HttpTcpReceiveHeader (
       }
 
       //
-      // Append the response string.
+      // Append the response string along with a Null-terminator.
       //
       *BufferSize = *SizeofHeaders + Fragment.Len;
-      Buffer      = AllocateZeroPool (*BufferSize);
+      Buffer      = AllocatePool (*BufferSize + 1);
       if (Buffer == NULL) {
         Status = EFI_OUT_OF_RESOURCES;
         return Status;
@@ -1933,6 +1933,7 @@ HttpTcpReceiveHeader (
         Fragment.Bulk,
         Fragment.Len
         );
+      *(Buffer + *BufferSize) = '\0';
       *HttpHeaders   = Buffer;
       *SizeofHeaders = *BufferSize;
 
@@ -2013,10 +2014,10 @@ HttpTcpReceiveHeader (
       }
 
       //
-      // Append the response string.
+      // Append the response string along with a Null-terminator.
       //
       *BufferSize = *SizeofHeaders + Fragment.Len;
-      Buffer      = AllocateZeroPool (*BufferSize);
+      Buffer      = AllocatePool (*BufferSize + 1);
       if (Buffer == NULL) {
         Status = EFI_OUT_OF_RESOURCES;
         return Status;
@@ -2032,6 +2033,7 @@ HttpTcpReceiveHeader (
         Fragment.Bulk,
         Fragment.Len
         );
+      *(Buffer + *BufferSize) = '\0';
       *HttpHeaders   = Buffer;
       *SizeofHeaders = *BufferSize;
author	Songpeng Li <songpeng.li@intel.com>	2018-09-28 11:02:34 +0800
committer	Fu Siyuan <siyuan.fu@intel.com>	2018-09-29 10:51:27 +0800
commit	2239ea71b65072ce3c76d56e7074d2ee60ba1762 (patch)
tree	888492f0da1d86f13710aed649f8dacb16c6704d /NetworkPkg
parent	b9cee524e6c1941b77b6780e19bd57052e53249c (diff)
download	edk2-2239ea71b65072ce3c76d56e7074d2ee60ba1762.zip edk2-2239ea71b65072ce3c76d56e7074d2ee60ba1762.tar.gz edk2-2239ea71b65072ce3c76d56e7074d2ee60ba1762.tar.bz2