summaryrefslogtreecommitdiff
path: root/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
diff options
context:
space:
mode:
Diffstat (limited to '0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch')
-rw-r--r--0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch84
1 files changed, 84 insertions, 0 deletions
diff --git a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
new file mode 100644
index 0000000..426abb9
--- /dev/null
+++ b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
@@ -0,0 +1,84 @@
+From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:59 +0200
+Subject: [PATCH 27/27] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
+ values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+IScsiDxe (that is, the initiator) receives two hex-encoded strings from
+the iSCSI target:
+
+- CHAP_C, where the target challenges the initiator,
+
+- CHAP_R, where the target answers the challenge from the initiator (in
+ case the initiator wants mutual authentication).
+
+Accordingly, we have two IScsiHexToBin() call sites:
+
+- At the CHAP_C decoding site, check whether the decoding succeeds. The
+ decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
+ which is a permissible restriction on the target, per
+ <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
+ from the target are acceptable.
+
+- At the CHAP_R decoding site, enforce that the decoding both succeed, and
+ provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
+ calculated by the target, therefore it must be of fixed size. We may
+ only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-11-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index dbe3c8ef46..7e930c0d1e 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
+
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+- IScsiHexToBin (
+- (UINT8 *) AuthData->InChallenge,
+- &AuthData->InChallengeLength,
+- Challenge
+- );
++ Status = IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
++ if (EFI_ERROR (Status)) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
+ }
+
+ RspLen = ISCSI_CHAP_RSP_LEN;
+- IScsiHexToBin (TargetRsp, &RspLen, Response);
++ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
++ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+
+ //
+ // Check the CHAP Name and Response replied by Target.
+--
+2.27.0
+