diff options
| author | Jiaxin Wu <jiaxin.wu@intel.com> | 2017-12-25 16:17:34 +0800 |
|---|---|---|
| committer | Jiaxin Wu <jiaxin.wu@intel.com> | 2017-12-27 16:28:35 +0800 |
| commit | b2a73b5b3cc6e3edc660384cd0d3d40fe04153b0 (patch) | |
| tree | 0cbbfe95e4ad3a3316b09d5fba2822a6e4a76a37 /MdeModulePkg/Library/DxeHttpLib | |
| parent | 786a4d1921d61d809af7f12020264327df409f3b (diff) | |
| download | edk2-b2a73b5b3cc6e3edc660384cd0d3d40fe04153b0.tar.gz edk2-b2a73b5b3cc6e3edc660384cd0d3d40fe04153b0.tar.bz2 edk2-b2a73b5b3cc6e3edc660384cd0d3d40fe04153b0.zip | |
MdeModulePkg/DxeHttpLib: Add boundary condition check.
v2:
* Fix GCC the build error.
This patch is to add the boundary condition check to make sure
the accessed buffer is valid.
Cc: Gary Lin <glin@suse.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wang Fan <fan.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Tested-by: Gary Lin <glin@suse.com>
Diffstat (limited to 'MdeModulePkg/Library/DxeHttpLib')
| -rw-r--r-- | MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c b/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c index caddbb7863..915b81d17c 100644 --- a/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c +++ b/MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.c @@ -56,7 +56,7 @@ UriPercentDecode ( HexStr[2] = '\0';
while (Index < BufferLength) {
if (Buffer[Index] == '%') {
- if (!NET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[Index+2])) {
+ if (Index + 1 >= BufferLength || Index + 2 >= BufferLength || !NET_IS_HEX_CHAR (Buffer[Index+1]) || !NET_IS_HEX_CHAR (Buffer[Index+2])) {
return EFI_INVALID_PARAMETER;
}
HexStr[0] = Buffer[Index+1];
@@ -1558,6 +1558,7 @@ HttpGetFieldNameAndValue ( CHAR8 *FieldNameStr;
CHAR8 *FieldValueStr;
CHAR8 *StrPtr;
+ CHAR8 *EndofHeader;
if (String == NULL || FieldName == NULL || FieldValue == NULL) {
return NULL;
@@ -1568,6 +1569,16 @@ HttpGetFieldNameAndValue ( FieldNameStr = NULL;
FieldValueStr = NULL;
StrPtr = NULL;
+ EndofHeader = NULL;
+
+
+ //
+ // Check whether the raw HTTP header string is valid or not.
+ //
+ EndofHeader = AsciiStrStr (String, "\r\n\r\n");
+ if (EndofHeader == NULL) {
+ return NULL;
+ }
//
// Each header field consists of a name followed by a colon (":") and the field value.
@@ -1585,13 +1596,32 @@ HttpGetFieldNameAndValue ( //
// The field value MAY be preceded by any amount of LWS, though a single SP is preferred.
+ // Note: LWS = [CRLF] 1*(SP|HT), it can be '\r\n ' or '\r\n\t' or ' ' or '\t'.
+ // CRLF = '\r\n'.
+ // SP = ' '.
+ // HT = '\t' (Tab).
//
while (TRUE) {
if (*FieldValueStr == ' ' || *FieldValueStr == '\t') {
+ //
+ // Boundary condition check.
+ //
+ if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 1) {
+ return NULL;
+ }
+
FieldValueStr ++;
- } else if (*FieldValueStr == '\r' && *(FieldValueStr + 1) == '\n' &&
- (*(FieldValueStr + 2) == ' ' || *(FieldValueStr + 2) == '\t')) {
- FieldValueStr = FieldValueStr + 3;
+ } else if (*FieldValueStr == '\r') {
+ //
+ // Boundary condition check.
+ //
+ if ((UINTN)EndofHeader - (UINTN)(FieldValueStr) < 3) {
+ return NULL;
+ }
+
+ if (*(FieldValueStr + 1) == '\n' && (*(FieldValueStr + 2) == ' ' || *(FieldValueStr + 2) == '\t')) {
+ FieldValueStr = FieldValueStr + 3;
+ }
} else {
break;
}
|