reject message with different values in multiple Content-Length heade…

…r field If multiple headers occur, usually the last header would have authority; however the section 3.3.3 of RFC 7230 states that: If a message is received without Transfer-Encoding and with either multiple Content-Length header fields having differing field-values or ..., then the message framing is invalid and the recipient MUST treat it as an unrecoverable error. For example: If there are 2 headers, for example, "Content-Length: 42" and "Content-Length: 52", then current shim httpboot.c will accept the last one which is "Content-Length": 52". This is not correct. This patch allows multiple values if they are the same, but rejects message if any different value is found. In function receive_http_response() of httpboot.c, each received duplicate Content-Length field must be checked whether its value is different. If it is, then this message is invalid. Signed-off-by: Dennis Tseng <[email protected]>
rhboot · Feb 26, 2025 · c1a1f0c · c1a1f0c
1 parent 5914984
commit c1a1f0c
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/httpboot.c b/httpboot.c
@@ -517,7 +517,7 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
 	EFI_HTTP_RESPONSE_DATA response;
 	EFI_HTTP_STATUS_CODE http_status;
 	BOOLEAN response_done;
-	UINTN i, downloaded;
+	UINTN i, j, downloaded;
 	CHAR8 rx_buffer[9216];
 	EFI_STATUS efi_status;
 	EFI_STATUS event_status;
@@ -574,6 +574,15 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
 		if (!strcasecmp(rx_message.Headers[i].FieldName,
 				(CHAR8 *)"Content-Length")) {
 			*buf_size = ascii_to_int(rx_message.Headers[i].FieldValue);
+			for(j = 0; j < i; j++) {
+				if (!strcasecmp(rx_message.Headers[i].FieldName,
+						(CHAR8 *)"Content-Length")) {
+					if (*buf_size != ascii_to_int(rx_message.Headers[j].FieldValue)) {
+						perror(L"Content-Length is invalid\n");
+						goto error;
+					}
+				}
+			}
 		}
 	}