NetworkPkg/HttpUtilitiesDxe: fix read memory access overflow.

The input param String of AsciiStrStr() requires a pointer to
 Null-terminated string, however in HttpUtilitiesParse(),
 the Buffersize before AllocateZeroPool() is equal to the size
 of TCP header, after the CopyMem(), it might not end with
 Null-terminator. It might cause memory access overflow.

Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1204
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Songpeng Li <songpeng.li@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>

diff --git a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
index a9a1c7c586cc60fba3c6206f8f09c546ec28fa8b..b0e3e7f081fa689ce69a8b133133acf50ba567ca 100644 (file)
--- a/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
+++ b/NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesProtocol.c
@@ -298,6 +298,7 @@ HttpUtilitiesParse (
   CHAR8                     *FieldName;\r
   CHAR8                     *FieldValue;\r
   UINTN                     Index;\r
+  UINTN                     HttpBufferSize;\r
 \r
   Status          = EFI_SUCCESS;\r
   TempHttpMessage = NULL;\r
@@ -311,12 +312,17 @@ HttpUtilitiesParse (
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
-  TempHttpMessage = AllocateZeroPool (HttpMessageSize);\r
+  //\r
+  // Append the http response string along with a Null-terminator.\r
+  //\r
+  HttpBufferSize = HttpMessageSize + 1;\r
+  TempHttpMessage = AllocatePool (HttpBufferSize);\r
   if (TempHttpMessage == NULL) {\r
     return EFI_OUT_OF_RESOURCES;\r
   }\r
 \r
   CopyMem (TempHttpMessage, HttpMessage, HttpMessageSize);\r
+  *(TempHttpMessage + HttpMessageSize) = '\0';\r
 \r
   //\r
   // Get header number\r