diff options
Diffstat (limited to '0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch')
-rw-r--r-- | 0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch new file mode 100644 index 0000000..426abb9 --- /dev/null +++ b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch @@ -0,0 +1,84 @@ +From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:59 +0200 +Subject: [PATCH 27/27] NetworkPkg/IScsiDxe: check IScsiHexToBin() return + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +IScsiDxe (that is, the initiator) receives two hex-encoded strings from +the iSCSI target: + +- CHAP_C, where the target challenges the initiator, + +- CHAP_R, where the target answers the challenge from the initiator (in + case the initiator wants mutual authentication). + +Accordingly, we have two IScsiHexToBin() call sites: + +- At the CHAP_C decoding site, check whether the decoding succeeds. The + decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, + which is a permissible restriction on the target, per + <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges + from the target are acceptable. + +- At the CHAP_R decoding site, enforce that the decoding both succeed, and + provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest + calculated by the target, therefore it must be of fixed size. We may + only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Message-Id: <20210608121259.32451-11-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index dbe3c8ef46..7e930c0d1e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived ( +
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+- IScsiHexToBin (
+- (UINT8 *) AuthData->InChallenge,
+- &AuthData->InChallengeLength,
+- Challenge
+- );
++ Status = IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
++ if (EFI_ERROR (Status)) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived ( + }
+
+ RspLen = ISCSI_CHAP_RSP_LEN;
+- IScsiHexToBin (TargetRsp, &RspLen, Response);
++ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
++ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+
+ //
+ // Check the CHAP Name and Response replied by Target.
+-- +2.27.0 + |