[edk2-devel] [PATCH 1/1] NetworkPkg: Fix possible infinite loop in HTTP msg body parser

Vladimir Olovyannikov via groups.io vladimir.olovyannikov=broadcom.com at groups.io
Fri Oct 2 15:08:29 UTC 2020 

Hi Maciej,

Thank you for reviewing the patch.

> -----Original Message-----
> From: Rabeda, Maciej <maciej.rabeda at linux.intel.com>
> Sent: Friday, October 2, 2020 5:02 AM
> To: Vladimir Olovyannikov <vladimir.olovyannikov at broadcom.com>;
> devel at edk2.groups.io
> Cc: Jiaxin Wu <jiaxin.wu at intel.com>; Siyuan Fu <siyuan.fu at intel.com>;
> Laszlo Ersek <lersek at redhat.com>
> Subject: Re: [edk2-devel] [PATCH 1/1] NetworkPkg: Fix possible infinite
> loop
> in HTTP msg body parser
>
> Hi Vladimir,
>
> Functionally the patch is fine.
> However, from coding standard perspective, !PortionLen is not allowed -
> such structure is used only for BOOLEAN type values.
> Reference: Table 10,
> https://edk2-docs.gitbook.io/edk-ii-c-coding-standards-
> specification/5_source_files/57_c_programming#5-7-2-2-a-comparison-of-
> any-pointer-to-zero-must-be-done-via-the-null-type
Sorry, my bad. That's a result of switching between edk2 and Linux
developments.
>
> Do not submit v2, I will correct that upon merging. On terms CS issue is
> addressed, I am giving:
> Reviewed-by: Maciej Rabeda <maciej.rabeda at linux.intel.com>
Thank you Maciej,

Vladimir
>
> Thanks,
> Maciej
>
> On 01-Oct-20 17:25, Vladimir Olovyannikov wrote:
> > Hi Maciej,
> >
> > Thank you for looking into this.
> >
> > Vladimir
> >> -----Original Message-----
> >> From: Rabeda, Maciej <maciej.rabeda at linux.intel.com>
> >> Sent: Wednesday, September 30, 2020 2:57 AM
> >> To: devel at edk2.groups.io; vladimir.olovyannikov at broadcom.com
> >> Cc: Jiaxin Wu <jiaxin.wu at intel.com>; Siyuan Fu <siyuan.fu at intel.com>;
> >> Laszlo Ersek <lersek at redhat.com>
> >> Subject: Re: [edk2-devel] [PATCH 1/1] NetworkPkg: Fix possible
> >> infinite loop in HTTP msg body parser
> >>
> >> Hi Vladimir,
> >>
> >> Yes, this must have go past my radar, sorry. Things are becoming more
> >> and more busy out here :/ I will take a look at it by the end of week.
> >>
> >> On 24-Sep-20 23:57, Vladimir Olovyannikov via groups.io wrote:
> >>> Hi Maciej,
> >>>
> >>> Can you please review this patch?
> >>> It is sitting there for a while, looks like it slipped through the
> >>> cracks.
> >>>
> >>> Thank you,
> >>> Vladimir
> >>>> -----Original Message-----
> >>>> From: Vladimir Olovyannikov <vladimir.olovyannikov at broadcom.com>
> >>>> Sent: Friday, August 28, 2020 11:17 AM
> >>>> To: devel at edk2.groups.io
> >>>> Cc: Vladimir Olovyannikov <vladimir.olovyannikov at broadcom.com>;
> >>>> Maciej Rabeda <maciej.rabeda at linux.intel.com>; Jiaxin Wu
> >>>> <jiaxin.wu at intel.com>; Siyuan Fu <siyuan.fu at intel.com>
> >>>> Subject: [PATCH 1/1] NetworkPkg: Fix possible infinite loop in HTTP
> >>>> msg
> >>> body
> >>>> parser
> >>>>
> >>>> When an HTTP server sends a non-chunked body data with no
> Content-
> >>>> Length header, the HttpParserMessageBody in DxeHttpLib gets
> >>>> confused and never sets the Char pointer beyond the body start.
> >>>> This causes "for" loop to never break because the condition of
> >>>> "Char
> >>>>> =
> >>> Body
> >>>> + BodyLength" is never satisfied.
> >>>> Use BodyLength as the ContentLength for the parser when
> >> ContentLength
> >>>> is absent in HTTP response headers.
> >>>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2941
> >>>>
> >>>> Signed-off-by: Vladimir Olovyannikov
> >>>> <vladimir.olovyannikov at broadcom.com>
> >>>> Cc: Maciej Rabeda <maciej.rabeda at linux.intel.com>
> >>>> Cc: Jiaxin Wu <jiaxin.wu at intel.com>
> >>>> Cc: Siyuan Fu <siyuan.fu at intel.com>
> >>>> ---
> >>>>    NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c | 19
> >>>> ++++++++++++++++-
> >> --
> >>>>    1 file changed, 16 insertions(+), 3 deletions(-)
> >>>>
> >>>> diff --git a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
> >>>> b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
> >>>> index 180d9321025a..e550c9962dc1 100644
> >>>> --- a/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
> >>>> +++ b/NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
> >>>> @@ -1122,6 +1122,7 @@ HttpParseMessageBody (
> >>>>      CHAR8                 *Char;
> >>>>      UINTN                 RemainderLengthInThis;
> >>>>      UINTN                 LengthForCallback;
> >>>> +  UINTN                 PortionLength;
> >>>>      EFI_STATUS            Status;
> >>>>      HTTP_BODY_PARSER      *Parser;
> >>>>
> >>>> @@ -1173,19 +1174,31 @@ HttpParseMessageBody (
> >>>>          //
> >>>>          // Identity transfer-coding, just notify user to save the
> >>>> body
> >>> data.
> >>>>          //
> >>>> +      PortionLength = MIN (
> >>>> +                        BodyLength,
> >>>> +                        Parser->ContentLength -
> >>> Parser->ParsedBodyLength
> >>>> +                        );
> >>>> +      if (!PortionLength) {
> >>>> +        //
> >>>> +        // Got BodyLength, but no ContentLength. Use BodyLength.
> >>>> +        //
> >>>> +        PortionLength = BodyLength;
> >>>> +        Parser->ContentLength = PortionLength;
> >>>> +      }
> >>>> +
> >>>>          if (Parser->Callback != NULL) {
> >>>>            Status = Parser->Callback (
> >>>>                               BodyParseEventOnData,
> >>>>                               Char,
> >>>> -                           MIN (BodyLength, Parser->ContentLength -
> >>> Parser-
> >>>>> ParsedBodyLength),
> >>>> +                           PortionLength,
> >>>>                               Parser->Context
> >>>>                               );
> >>>>            if (EFI_ERROR (Status)) {
> >>>>              return Status;
> >>>>            }
> >>>>          }
> >>>> -      Char += MIN (BodyLength, Parser->ContentLength - Parser-
> >>>>> ParsedBodyLength);
> >>>> -      Parser->ParsedBodyLength += MIN (BodyLength, Parser-
> >>>>> ContentLength - Parser->ParsedBodyLength);
> >>>> +      Char += PortionLength;
> >>>> +      Parser->ParsedBodyLength += PortionLength;
> >>>>          if (Parser->ParsedBodyLength == Parser->ContentLength) {
> >>>>            Parser->State = BodyParserComplete;
> >>>>            if (Parser->Callback != NULL) {
> >>>> --
> >>>> 2.26.2.266.ge870325ee8
> >>> 
> >>>
> >>>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#65844): https://edk2.groups.io/g/devel/message/65844
Mute This Topic: https://groups.io/mt/76479891/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20201002/c0866d29/attachment.p7s>

More information about the edk2-devel-archive mailing list