From 713a76945fb7962d97be9c0f8a54a32da5f683d2 Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Tue, 8 Jun 2021 14:12:55 +0200

Subject: [PATCH 06/11] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always

 succeeds

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Laszlo Ersek <lersek@redhat.com>

RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]

RH-Commit: [6/10] f75dedb1034e5feb5fd268c99184d3e392ef9beb

RH-Bugzilla: 1961100

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

IScsiBinToHex() is called for encoding:

- the answer to the target's challenge; that is, CHAP_R;

- the challenge for the target, in case mutual authentication is enabled;

  that is, CHAP_C.

The initiator controls the size of both blobs, the sizes of their hex

encodings are correctly calculated in "RspLen" and "ChallengeLen".

Therefore the IScsiBinToHex() calls never fail; assert that.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Cc: Philippe Mathieu-Daudé <philmd@redhat.com>

Cc: Siyuan Fu <siyuan.fu@intel.com>

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Message-Id: <20210608121259.32451-7-lersek@redhat.com>

(cherry picked from commit d90fff40cb2502b627370a77f5608c8a178c3f78)

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------

 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c

index 9e192ce292..dbe3c8ef46 100644

--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c

+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c

@@ -391,6 +391,7 @@ IScsiCHAPToSendReq (

   UINT32                      RspLen;

   CHAR8                       *Challenge;

   UINT32                      ChallengeLen;

+  EFI_STATUS                  BinToHexStatus;

   ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);

@@ -471,12 +472,13 @@ IScsiCHAPToSendReq (

     //

     // CHAP_R=<R>

     //

-    IScsiBinToHex (

-      (UINT8 *) AuthData->CHAPResponse,

-      ISCSI_CHAP_RSP_LEN,

-      Response,

-      &RspLen

-      );

+    BinToHexStatus = IScsiBinToHex (

+                       (UINT8 *) AuthData->CHAPResponse,

+                       ISCSI_CHAP_RSP_LEN,

+                       Response,

+                       &RspLen

+                       );

+    ASSERT_EFI_ERROR (BinToHexStatus);

     IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);

     if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {

@@ -490,12 +492,13 @@ IScsiCHAPToSendReq (

       // CHAP_C=<C>

       //

       IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);

-      IScsiBinToHex (

-        (UINT8 *) AuthData->OutChallenge,

-        ISCSI_CHAP_RSP_LEN,

-        Challenge,

-        &ChallengeLen

-        );

+      BinToHexStatus = IScsiBinToHex (

+                         (UINT8 *) AuthData->OutChallenge,

+                         ISCSI_CHAP_RSP_LEN,

+                         Challenge,

+                         &ChallengeLen

+                         );

+      ASSERT_EFI_ERROR (BinToHexStatus);

       IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);

       Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;

-- 

2.27.0