rpms / edk2

Clone
Source Code
GIT

Blame SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch

c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta
  1.   9e1c843bd36fe576b1e4cf49927f8b0c0797648e
  2.   SOURCES
  3.   edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
Blob History Raw
9e1c84 
From 5171f67062e606a4e606780ff5a5787bde7198eb Mon Sep 17 00:00:00 2001
d15d15 
From: Laszlo Ersek <lersek@redhat.com>
9e1c84 
Date: Tue, 8 Jun 2021 14:12:59 +0200
d15d15 
Subject: [PATCH 10/10] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
d15d15 
 values
d15d15 
MIME-Version: 1.0
d15d15 
Content-Type: text/plain; charset=UTF-8
d15d15 
Content-Transfer-Encoding: 8bit
d15d15
d15d15 
RH-Author: Laszlo Ersek <lersek@redhat.com>
9e1c84 
RH-MergeRequest: 5: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.5.0, post-rebase]
9e1c84 
RH-Commit: [10/10] 1c65763fef57cfd9b1bd55779ec6eba4e086e100
9e1c84 
RH-Bugzilla: 1956408
d15d15 
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
d15d15
d15d15 
IScsiDxe (that is, the initiator) receives two hex-encoded strings from
d15d15 
the iSCSI target:
d15d15
d15d15 
- CHAP_C, where the target challenges the initiator,
d15d15
d15d15 
- CHAP_R, where the target answers the challenge from the initiator (in
d15d15 
  case the initiator wants mutual authentication).
d15d15
d15d15 
Accordingly, we have two IScsiHexToBin() call sites:
d15d15
d15d15 
- At the CHAP_C decoding site, check whether the decoding succeeds. The
d15d15 
  decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
d15d15 
  which is a permissible restriction on the target, per
d15d15 
  <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
d15d15 
  from the target are acceptable.
d15d15
d15d15 
- At the CHAP_R decoding site, enforce that the decoding both succeed, and
d15d15 
  provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
d15d15 
  calculated by the target, therefore it must be of fixed size. We may
d15d15 
  only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
d15d15
d15d15 
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
d15d15 
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
d15d15 
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
d15d15 
Cc: Siyuan Fu <siyuan.fu@intel.com>
d15d15 
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
d15d15 
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
d15d15 
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
d15d15 
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
9e1c84 
Message-Id: <20210608121259.32451-11-lersek@redhat.com>
9e1c84 
(cherry picked from commit b8649cf2a3e673a4a8cb6c255e394b354b771550)
d15d15 
---
d15d15 
 NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
d15d15 
 1 file changed, 14 insertions(+), 6 deletions(-)
d15d15
d15d15 
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
d15d15 
index dbe3c8ef46..7e930c0d1e 100644
d15d15 
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
d15d15 
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
d15d15 
@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
d15d15
d15d15 
     AuthData->InIdentifier      = (UINT32) Result;
d15d15 
     AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
d15d15 
-    IScsiHexToBin (
d15d15 
-      (UINT8 *) AuthData->InChallenge,
d15d15 
-      &AuthData->InChallengeLength,
d15d15 
-      Challenge
d15d15 
-      );
d15d15 
+    Status = IScsiHexToBin (
d15d15 
+               (UINT8 *) AuthData->InChallenge,
d15d15 
+               &AuthData->InChallengeLength,
d15d15 
+               Challenge
d15d15 
+               );
d15d15 
+    if (EFI_ERROR (Status)) {
d15d15 
+      Status = EFI_PROTOCOL_ERROR;
d15d15 
+      goto ON_EXIT;
d15d15 
+    }
d15d15 
     Status = IScsiCHAPCalculateResponse (
d15d15 
                AuthData->InIdentifier,
d15d15 
                AuthData->AuthConfig->CHAPSecret,
d15d15 
@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
d15d15 
     }
d15d15
d15d15 
     RspLen = ISCSI_CHAP_RSP_LEN;
d15d15 
-    IScsiHexToBin (TargetRsp, &RspLen, Response);
d15d15 
+    Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
d15d15 
+    if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
d15d15 
+      Status = EFI_PROTOCOL_ERROR;
d15d15 
+      goto ON_EXIT;
d15d15 
+    }
d15d15
d15d15 
     //
d15d15 
     // Check the CHAP Name and Response replied by Target.
d15d15 
--
d15d15 
2.27.0
d15d15

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation