1 files changed, 84 insertions, 0 deletions
diff --git a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
new file mode 100644
index 0000000..426abb9
--- /dev/null
+++ b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
@@ -0,0 +1,84 @@
+From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:59 +0200
+Subject: [PATCH 27/27] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
+ values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+IScsiDxe (that is, the initiator) receives two hex-encoded strings from
+the iSCSI target:
+
+- CHAP_C, where the target challenges the initiator,
+
+- CHAP_R, where the target answers the challenge from the initiator (in
+  case the initiator wants mutual authentication).
+
+Accordingly, we have two IScsiHexToBin() call sites:
+
+- At the CHAP_C decoding site, check whether the decoding succeeds. The
+  decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
+  which is a permissible restriction on the target, per
+  <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
+  from the target are acceptable.
+
+- At the CHAP_R decoding site, enforce that the decoding both succeed, and
+  provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
+  calculated by the target, therefore it must be of fixed size. We may
+  only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-11-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index dbe3c8ef46..7e930c0d1e 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
+ 
+     AuthData->InIdentifier      = (UINT32) Result;
+     AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+-    IScsiHexToBin (
+-      (UINT8 *) AuthData->InChallenge,
+-      &AuthData->InChallengeLength,
+-      Challenge
+-      );
++    Status = IScsiHexToBin (
++               (UINT8 *) AuthData->InChallenge,
++               &AuthData->InChallengeLength,
++               Challenge
++               );
++    if (EFI_ERROR (Status)) {
++      Status = EFI_PROTOCOL_ERROR;
++      goto ON_EXIT;
++    }
+     Status = IScsiCHAPCalculateResponse (
+                AuthData->InIdentifier,
+                AuthData->AuthConfig->CHAPSecret,
+@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
+     }
+ 
+     RspLen = ISCSI_CHAP_RSP_LEN;
+-    IScsiHexToBin (TargetRsp, &RspLen, Response);
++    Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
++    if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
++      Status = EFI_PROTOCOL_ERROR;
++      goto ON_EXIT;
++    }
+ 
+     //
+     // Check the CHAP Name and Response replied by Target.
+-- 
+2.27.0
+