From nobody Mon Feb 9 19:30:01 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76208+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76208+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1623154409; cv=none; d=zohomail.com; s=zohoarc; b=Zi1tG+GDSafoHcqj864vm8Qpg33x8GfQax6ecwd7/WkuThIiNyPq5OBN2woER6WiG7jaMfApVTTLhIR+GVaw83ulRj6uYP/tvAqhQdXLWVpYY6oRmiDsikwndxksF6AlVhnWrJ7eEWnaLXgJ4Yj0Y9wIzagp3KaP8eaMNGQVtGw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623154409; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Ysc44LYyVDOJJiFhGWofgvYFneGKih2SKj3M1e6vVFU=; b=jQwMYJKXabGh4WBFL6m32VpRC6zPIoODQoUcqLzCcebpr/SHpGa05BeIy8DhseAwocPqrIKBgMMWcfyyx6qdf6tWEb1PY9VGpJP70mPErcKG1AobLGDWbfmSqUk8r7hJfbkfbmneRfTVv/BJduCX1t5VIVebeHkN/4OD1918uHs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76208+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623154409299234.33118561866218; Tue, 8 Jun 2021 05:13:29 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id tTksYY1788612xp1NqmdUmJN; Tue, 08 Jun 2021 05:13:28 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web08.11306.1623154402586860865 for ; Tue, 08 Jun 2021 05:13:22 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-37-F_jHPkcXOAmisKzLCbdBWg-1; Tue, 08 Jun 2021 08:13:19 -0400 X-MC-Unique: F_jHPkcXOAmisKzLCbdBWg-1 X-Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C9B88107ACCD; Tue, 8 Jun 2021 12:13:17 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-27.ams2.redhat.com [10.36.113.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8B98F620DE; Tue, 8 Jun 2021 12:13:16 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PUBLIC edk2 PATCH v2 10/10] NetworkPkg/IScsiDxe: check IScsiHexToBin() return values Date: Tue, 8 Jun 2021 14:12:59 +0200 Message-Id: <20210608121259.32451-11-lersek@redhat.com> In-Reply-To: <20210608121259.32451-1-lersek@redhat.com> References: <20210608121259.32451-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: lwfhh7HOBv2lGksRnecWC0kkx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623154409; bh=Ysc44LYyVDOJJiFhGWofgvYFneGKih2SKj3M1e6vVFU=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=ZlUf8B/dfg/HgiK5OQKIfGWeXMMbatxKJaqR/NCy72EgzCOinSgt+Iw2gnGNgdE999x 791azEEeJnhqZUEBZM3Ijl+8CqVc4pr12EWm5kqUNlKRq5uHd9c8BjyXSPVCEzz3m702h HZrgPEK2x0skwpazAF7RdxlQQhde5jI3iL0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" IScsiDxe (that is, the initiator) receives two hex-encoded strings from the iSCSI target: - CHAP_C, where the target challenges the initiator, - CHAP_R, where the target answers the challenge from the initiator (in case the initiator wants mutual authentication). Accordingly, we have two IScsiHexToBin() call sites: - At the CHAP_C decoding site, check whether the decoding succeeds. The decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, which is a permissible restriction on the target, per . Shorter challenges from the target are acceptable. - At the CHAP_R decoding site, enforce that the decoding both succeed, and provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest calculated by the target, therefore it must be of fixed size. We may only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3356 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Maciej Rabeda --- NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHA= P.c index dbe3c8ef46f9..7e930c0d1eab 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -274,43 +274,47 @@ IScsiCHAPOnRspReceived ( =20 Challenge =3D IScsiGetValueByKeyFromList ( KeyValueList, ISCSI_KEY_CHAP_CHALLENGE ); if (Challenge =3D=3D NULL) { goto ON_EXIT; } // // Process the CHAP identifier and CHAP Challenge from Target. // Calculate Response value. // Result =3D IScsiNetNtoi (Identifier); if (Result > 0xFF) { goto ON_EXIT; } =20 AuthData->InIdentifier =3D (UINT32) Result; AuthData->InChallengeLength =3D (UINT32) sizeof (AuthData->InChallenge= ); - IScsiHexToBin ( - (UINT8 *) AuthData->InChallenge, - &AuthData->InChallengeLength, - Challenge - ); + Status =3D IScsiHexToBin ( + (UINT8 *) AuthData->InChallenge, + &AuthData->InChallengeLength, + Challenge + ); + if (EFI_ERROR (Status)) { + Status =3D EFI_PROTOCOL_ERROR; + goto ON_EXIT; + } Status =3D IScsiCHAPCalculateResponse ( AuthData->InIdentifier, AuthData->AuthConfig->CHAPSecret, (UINT32) AsciiStrLen (AuthData->AuthConfig->CHAPSecret), AuthData->InChallenge, AuthData->InChallengeLength, AuthData->CHAPResponse ); =20 // // Transit to next step. // Conn->AuthStep =3D ISCSI_CHAP_STEP_THREE; break; =20 case ISCSI_CHAP_STEP_THREE: // // One way CHAP authentication and the target would like to // authenticate us. @@ -321,39 +325,43 @@ IScsiCHAPOnRspReceived ( case ISCSI_CHAP_STEP_FOUR: ASSERT (AuthData->AuthConfig->CHAPType =3D=3D ISCSI_CHAP_MUTUAL); // // The forth step, CHAP_N=3D CHAP_R=3D is received from Target. // Name =3D IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME= ); if (Name =3D=3D NULL) { goto ON_EXIT; } =20 Response =3D IScsiGetValueByKeyFromList ( KeyValueList, ISCSI_KEY_CHAP_RESPONSE ); if (Response =3D=3D NULL) { goto ON_EXIT; } =20 RspLen =3D ISCSI_CHAP_RSP_LEN; - IScsiHexToBin (TargetRsp, &RspLen, Response); + Status =3D IScsiHexToBin (TargetRsp, &RspLen, Response); + if (EFI_ERROR (Status) || RspLen !=3D ISCSI_CHAP_RSP_LEN) { + Status =3D EFI_PROTOCOL_ERROR; + goto ON_EXIT; + } =20 // // Check the CHAP Name and Response replied by Target. // Status =3D IScsiCHAPAuthTarget (AuthData, TargetRsp); break; =20 default: break; } =20 ON_EXIT: =20 if (KeyValueList !=3D NULL) { IScsiFreeKeyValueList (KeyValueList); } =20 FreePool (Data); =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76208): https://edk2.groups.io/g/devel/message/76208 Mute This Topic: https://groups.io/mt/83394120/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-