From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 8 Jun 2021 14:12:59 +0200 Subject: [PATCH] NetworkPkg/IScsiDxe: check IScsiHexToBin() return values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit IScsiDxe (that is, the initiator) receives two hex-encoded strings from the iSCSI target: - CHAP_C, where the target challenges the initiator, - CHAP_R, where the target answers the challenge from the initiator (in case the initiator wants mutual authentication). Accordingly, we have two IScsiHexToBin() call sites: - At the CHAP_C decoding site, check whether the decoding succeeds. The decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, which is a permissible restriction on the target, per . Shorter challenges from the target are acceptable. - At the CHAP_R decoding site, enforce that the decoding both succeed, and provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest calculated by the target, therefore it must be of fixed size. We may only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daudé Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Maciej Rabeda Message-Id: <20210608121259.32451-11-lersek@redhat.com> --- NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c index dbe3c8ef46..7e930c0d1e 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived ( AuthData->InIdentifier = (UINT32) Result; AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); - IScsiHexToBin ( - (UINT8 *) AuthData->InChallenge, - &AuthData->InChallengeLength, - Challenge - ); + Status = IScsiHexToBin ( + (UINT8 *) AuthData->InChallenge, + &AuthData->InChallengeLength, + Challenge + ); + if (EFI_ERROR (Status)) { + Status = EFI_PROTOCOL_ERROR; + goto ON_EXIT; + } Status = IScsiCHAPCalculateResponse ( AuthData->InIdentifier, AuthData->AuthConfig->CHAPSecret, @@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived ( } RspLen = ISCSI_CHAP_RSP_LEN; - IScsiHexToBin (TargetRsp, &RspLen, Response); + Status = IScsiHexToBin (TargetRsp, &RspLen, Response); + if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) { + Status = EFI_PROTOCOL_ERROR; + goto ON_EXIT; + } // // Check the CHAP Name and Response replied by Target.