The input param String of AsciiStrStr() requires a pointer to Null-terminated string, however in HttpTcpReceiveHeader(), the Buffersize before AllocateZeroPool() is equal to the size of TCP header, after the CopyMem(), it might not end with Null-terminator. It might cause memory access overflow.
Cc: Fu Siyuan <siyuan...@intel.com> Cc: Wu Jiaxin <jiaxin...@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Songpeng Li <songpeng...@intel.com> --- NetworkPkg/HttpDxe/HttpProto.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/NetworkPkg/HttpDxe/HttpProto.c b/NetworkPkg/HttpDxe/HttpProto.c index 94f89f5665..7d69429be7 100644 --- a/NetworkPkg/HttpDxe/HttpProto.c +++ b/NetworkPkg/HttpDxe/HttpProto.c @@ -1914,10 +1914,10 @@ HttpTcpReceiveHeader ( } // - // Append the response string. + // Append the response string along with a Null-terminator. // *BufferSize = *SizeofHeaders + Fragment.Len; - Buffer = AllocateZeroPool (*BufferSize); + Buffer = AllocatePool (*BufferSize + 1); if (Buffer == NULL) { Status = EFI_OUT_OF_RESOURCES; return Status; @@ -1933,6 +1933,7 @@ HttpTcpReceiveHeader ( Fragment.Bulk, Fragment.Len ); + *(Buffer + *BufferSize) = '\0'; *HttpHeaders = Buffer; *SizeofHeaders = *BufferSize; @@ -2013,10 +2014,10 @@ HttpTcpReceiveHeader ( } // - // Append the response string. + // Append the response string along with a Null-terminator. // *BufferSize = *SizeofHeaders + Fragment.Len; - Buffer = AllocateZeroPool (*BufferSize); + Buffer = AllocatePool (*BufferSize + 1); if (Buffer == NULL) { Status = EFI_OUT_OF_RESOURCES; return Status; @@ -2032,6 +2033,7 @@ HttpTcpReceiveHeader ( Fragment.Bulk, Fragment.Len ); + *(Buffer + *BufferSize) = '\0'; *HttpHeaders = Buffer; *SizeofHeaders = *BufferSize; -- 2.18.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
