v2: * Fix GCC the build error. This patch is to add the boundary condition check to make sure the accessed buffer is valid.
Cc: Gary Lin <g...@suse.com> Cc: Ye Ting <ting...@intel.com> Cc: Fu Siyuan <siyuan...@intel.com> Cc: Wang Fan <fan.w...@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin...@intel.com> --- MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c | 38 +++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c b/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c index caddbb7..915b81d 100644 --- a/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c +++ b/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c @@ -54,11 +54,11 @@ UriPercentDecode ( Index = 0; Offset = 0; HexStr[2] = '\0'; while (Index < BufferLength) { if (Buffer[Index] == '%') { - if (!NET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[Index+2])) { + if (Index + 1 >= BufferLength || Index + 2 >= BufferLength || !NET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[Index+2])) { return EFI_INVALID_PARAMETER; } HexStr[0] = Buffer[Index+1]; HexStr[1] = Buffer[Index+2]; ResultBuffer[Offset] = (CHAR8) AsciiStrHexToUintn (HexStr); @@ -1556,20 +1556,31 @@ HttpGetFieldNameAndValue ( ) { CHAR8 *FieldNameStr; CHAR8 *FieldValueStr; CHAR8 *StrPtr; + CHAR8 *EndofHeader; if (String == NULL || FieldName == NULL || FieldValue == NULL) { return NULL; } *FieldName = NULL; *FieldValue = NULL; FieldNameStr = NULL; FieldValueStr = NULL; StrPtr = NULL; + EndofHeader = NULL; + + + // + // Check whether the raw HTTP header string is valid or not. + // + EndofHeader = AsciiStrStr (String, "\r\n\r\n"); + if (EndofHeader == NULL) { + return NULL; + } // // Each header field consists of a name followed by a colon (":") and the field value. // FieldNameStr = String; @@ -1583,17 +1594,36 @@ HttpGetFieldNameAndValue ( // *(FieldValueStr - 1) = 0; // // The field value MAY be preceded by any amount of LWS, though a single SP is preferred. + // Note: LWS = [CRLF] 1*(SP|HT), it can be '\r\n ' or '\r\n\t' or ' ' or '\t'. + // CRLF = '\r\n'. + // SP = ' '. + // HT = '\t' (Tab). // while (TRUE) { if (*FieldValueStr == ' ' || *FieldValueStr == '\t') { + // + // Boundary condition check. + // + if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 1) { + return NULL; + } + FieldValueStr ++; - } else if (*FieldValueStr == '\r' && *(FieldValueStr + 1) == '\n' && - (*(FieldValueStr + 2) == ' ' || *(FieldValueStr + 2) == '\t')) { - FieldValueStr = FieldValueStr + 3; + } else if (*FieldValueStr == '\r') { + // + // Boundary condition check. + // + if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 3) { + return NULL; + } + + if (*(FieldValueStr + 1) == '\n' && (*(FieldValueStr + 2) == ' ' || *(FieldValueStr + 2) == '\t')) { + FieldValueStr = FieldValueStr + 3; + } } else { break; } } -- 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel