NetworkPkg/IScsiDxe: check IScsiHexToBin() return values

IScsiDxe (that is, the initiator) receives two hex-encoded strings from the iSCSI target: - CHAP_C, where the target challenges the initiator, - CHAP_R, where the target answers the challenge from the initiator (in case the initiator wants mutual authentication). Accordingly, we have two IScsiHexToBin() call sites: - At the CHAP_C decoding site, check whether the decoding succeeds. The decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, which is a permissible restriction on the target, per <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges from the target are acceptable. - At the CHAP_R decoding site, enforce that the decoding both succeed, and provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest calculated by the target, therefore it must be of fixed size. We may only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210608121259.32451-11-lersek@redhat.com>
2021-06-08 14:12:59 +02:00 · 2021-06-08 14:12:59 +02:00 · b8649cf2a3
parent 54e90edaed
commit b8649cf2a3
1 changed files with 14 additions and 6 deletions
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (

    AuthData->InIdentifier      = (UINT32) Result;
    AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
-    IScsiHexToBin (
-      (UINT8 *) AuthData->InChallenge,
-      &AuthData->InChallengeLength,
-      Challenge
-      );
+    Status = IScsiHexToBin (
+               (UINT8 *) AuthData->InChallenge,
+               &AuthData->InChallengeLength,
+               Challenge
+               );
+    if (EFI_ERROR (Status)) {
+      Status = EFI_PROTOCOL_ERROR;
+      goto ON_EXIT;
+    }
    Status = IScsiCHAPCalculateResponse (
               AuthData->InIdentifier,
               AuthData->AuthConfig->CHAPSecret,
@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
    }

    RspLen = ISCSI_CHAP_RSP_LEN;
-    IScsiHexToBin (TargetRsp, &RspLen, Response);
+    Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
+    if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
+      Status = EFI_PROTOCOL_ERROR;
+      goto ON_EXIT;
+    }

    //
    // Check the CHAP Name and Response replied by Target.