mirror of https://github.com/acidanthera/audk.git
NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing
The IScsiHexToBin() function has the following parser issues:
(1) If the *subject sequence* in "HexStr" is empty, the function returns
EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should
be rejected.
(2) The function mis-handles a "HexStr" that ends with a stray nibble. For
example, if "HexStr" is "0xABC", the function decodes it to the bytes
{0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns
EFI_SUCCESS. Such inputs should be rejected.
(3) If an invalid hex char is found in "HexStr", the function treats it as
end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be
rejected.
All of the above cases are remotely triggerable, as shown in a subsequent
patch, which adds error checking to the IScsiHexToBin() call sites. While
the initiator is not immediately compromised, incorrectly parsing CHAP_R
from the target, in case of mutual authentication, is not great.
Extend the interface contract of IScsiHexToBin() with
EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement
the new checks.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210608121259.32451-9-lersek@redhat.com>
This commit is contained in:
Laszlo Ersek
mergify[bot]
parent
dc469f1371
commit
47b76780b4
|
|
@ -376,6 +376,7 @@ IScsiBinToHex (
|
||||||
|
|
||||||
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
binary encoded buffer.
|
binary encoded buffer.
|
||||||
|
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
|
||||||
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
converted data.
|
converted data.
|
||||||
**/
|
**/
|
||||||
|
|
@ -402,14 +403,21 @@ IScsiHexToBin (
|
||||||
|
|
||||||
Length = AsciiStrLen (HexStr);
|
Length = AsciiStrLen (HexStr);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Reject an empty hex string; reject a stray nibble.
|
||||||
|
//
|
||||||
|
if (Length == 0 || Length % 2 != 0) {
|
||||||
|
return EFI_INVALID_PARAMETER;
|
||||||
|
}
|
||||||
|
|
||||||
for (Index = 0; Index < Length; Index ++) {
|
for (Index = 0; Index < Length; Index ++) {
|
||||||
TemStr[0] = HexStr[Index];
|
TemStr[0] = HexStr[Index];
|
||||||
Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
|
Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
|
||||||
if (Digit == 0 && TemStr[0] != '0') {
|
if (Digit == 0 && TemStr[0] != '0') {
|
||||||
//
|
//
|
||||||
// Invalid Lun Char.
|
// Invalid Hex Char.
|
||||||
//
|
//
|
||||||
break;
|
return EFI_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
if ((Index & 1) == 0) {
|
if ((Index & 1) == 0) {
|
||||||
BinBuffer [Index/2] = Digit;
|
BinBuffer [Index/2] = Digit;
|
||||||
|
|
|
||||||
|
|
@ -171,6 +171,7 @@ IScsiBinToHex (
|
||||||
|
|
||||||
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
@retval EFI_SUCCESS The hexadecimal string is converted into a
|
||||||
binary encoded buffer.
|
binary encoded buffer.
|
||||||
|
@retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
|
||||||
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
@retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
|
||||||
converted data.
|
converted data.
|
||||||
**/
|
**/
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue