From nobody Sun May 11 02:08:54 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1514252038016292.1597643355709; Mon, 25 Dec 2017 17:33:58 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 179AE222447B8; Mon, 25 Dec 2017 17:29:03 -0800 (PST) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EF65122225C1A for ; Mon, 25 Dec 2017 17:29:00 -0800 (PST) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Dec 2017 17:33:54 -0800 Received: from jiaxinwu-mobl2.ccr.corp.intel.com ([10.239.196.165]) by orsmga002.jf.intel.com with ESMTP; 25 Dec 2017 17:33:53 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.45,457,1508828400"; d="scan'208";a="21327527" From: Jiaxin Wu To: edk2-devel@lists.01.org Date: Tue, 26 Dec 2017 09:33:45 +0800 Message-Id: <1514252029-12720-2-git-send-email-jiaxin.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: <1514252029-12720-1-git-send-email-jiaxin.wu@intel.com> References: <1514252029-12720-1-git-send-email-jiaxin.wu@intel.com> Subject: [edk2] [Patch 1/5] MdeModulePkg/DxeHttpLib: Add boundary condition check. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ye Ting , Wang Fan , Fu Siyuan , Wu Jiaxin MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This patch is to add the boundary condition check to make sure the accessed buffer is valid. Cc: Ye Ting Cc: Fu Siyuan Cc: Wang Fan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin --- MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c | 39 ++++++++++++++++++++++++= ---- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c b/MdeModulePkg/Li= brary/DxeHttpLib/DxeHttpLib.c index caddbb7..4d353d7 100644 --- a/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c +++ b/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c @@ -33,11 +33,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. @retval EFI_SUCCESS Successfully decoded the URI. @retval EFI_INVALID_PARAMETER Buffer is not a valid percent-encoded str= ing. =20 **/ EFI_STATUS -EFIAPI UriPercentDecode ( IN CHAR8 *Buffer, IN UINT32 BufferLength, OUT CHAR8 *ResultBuffer, OUT UINT32 *ResultLength @@ -54,11 +53,11 @@ UriPercentDecode ( Index =3D 0; Offset =3D 0; HexStr[2] =3D '\0'; while (Index < BufferLength) { if (Buffer[Index] =3D=3D '%') { - if (!NET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[I= ndex+2])) { + if (Index + 1 >=3D BufferLength || Index + 2 >=3D BufferLength || !N= ET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[Index+2])) { return EFI_INVALID_PARAMETER; } HexStr[0] =3D Buffer[Index+1]; HexStr[1] =3D Buffer[Index+2]; ResultBuffer[Offset] =3D (CHAR8) AsciiStrHexToUintn (HexStr); @@ -1556,20 +1555,31 @@ HttpGetFieldNameAndValue ( ) { CHAR8 *FieldNameStr; CHAR8 *FieldValueStr; CHAR8 *StrPtr; + CHAR8 *EndofHeader; =20 if (String =3D=3D NULL || FieldName =3D=3D NULL || FieldValue =3D=3D NUL= L) { return NULL; } =20 *FieldName =3D NULL; *FieldValue =3D NULL; FieldNameStr =3D NULL; FieldValueStr =3D NULL; StrPtr =3D NULL; + EndofHeader =3D NULL; + + + // + // Check whether the raw HTTP header string is valid or not. + // + EndofHeader =3D AsciiStrStr (String, "\r\n\r\n"); + if (EndofHeader =3D=3D NULL) { + return NULL; + } =20 // // Each header field consists of a name followed by a colon (":") and th= e field value. // FieldNameStr =3D String; @@ -1583,17 +1593,36 @@ HttpGetFieldNameAndValue ( // *(FieldValueStr - 1) =3D 0; =20 // // The field value MAY be preceded by any amount of LWS, though a single= SP is preferred. + // Note: LWS =3D [CRLF] 1*(SP|HT), it can be '\r\n ' or '\r\n\t' or ' '= or '\t'. + // CRLF =3D '\r\n'. + // SP =3D ' '. + // HT =3D '\t' (Tab). // while (TRUE) { if (*FieldValueStr =3D=3D ' ' || *FieldValueStr =3D=3D '\t') { + // + // Boundary condition check.=20 + // + if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 1) { + return NULL; =20 + } + =20 FieldValueStr ++; - } else if (*FieldValueStr =3D=3D '\r' && *(FieldValueStr + 1) =3D=3D '= \n' && - (*(FieldValueStr + 2) =3D=3D ' ' || *(FieldValueStr + 2) = =3D=3D '\t')) { - FieldValueStr =3D FieldValueStr + 3; + } else if (*FieldValueStr =3D=3D '\r') { + // + // Boundary condition check.=20 + // + if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 3) { + return NULL; =20 + } + + if (*(FieldValueStr + 1) =3D=3D '\n' && (*(FieldValueStr + 2) =3D=3D= ' ' || *(FieldValueStr + 2) =3D=3D '\t')) { + FieldValueStr =3D FieldValueStr + 3; + } } else { break; } } =20 --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel