From nobody Sat Feb 7 06:45:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76206+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76206+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1623154408; cv=none; d=zohomail.com; s=zohoarc; b=dQ2rRMrAXykoCE6XlWeR8PIws+lrR7JWCCRD+f301oLTmf+UAWDf1LHOwSLptindr52Jtdr1WvkZCqxt4YyqkbbQ6hM4M8Ps2k/OY/2EU3yl1hRmOM/X++ldtDkl6v8zsROo2ZXrpx9FCwSjFTDXMt9JXk95p//zdpckiYZpz5A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623154408; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=EuYhRwTqqVjf7YHAK8Qeur+PThqG/rB8MtVJB2oRJ2Q=; b=BAN1f5GTrYXaAV8paId0Q0hlTuIqTBfNPnqnH8/Sm/7+q2ARJI9TFeL+mOBfdegQ9I6j+2YhTA6D/ybFr4yEP7qrbzYpEiRusOT8J8+VZAXFP3Kh1tIoyfUk5P35cQfa/FEs3GcUrDYFWJ5Y/fEK43JLKGw8WeNF/NH1V60KcN4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76206+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623154408857293.44105146529444; Tue, 8 Jun 2021 05:13:28 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id vO5MYY1788612x8mJZImumfm; Tue, 08 Jun 2021 05:13:28 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web11.11514.1623154400169553379 for ; Tue, 08 Jun 2021 05:13:20 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-257--Tz5uiQlOh2fZGwz1dCsdg-1; Tue, 08 Jun 2021 08:13:15 -0400 X-MC-Unique: -Tz5uiQlOh2fZGwz1dCsdg-1 X-Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A7BCB107ACF2; Tue, 8 Jun 2021 12:13:14 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-27.ams2.redhat.com [10.36.113.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7087E197F9; Tue, 8 Jun 2021 12:13:13 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PUBLIC edk2 PATCH v2 08/10] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing Date: Tue, 8 Jun 2021 14:12:57 +0200 Message-Id: <20210608121259.32451-9-lersek@redhat.com> In-Reply-To: <20210608121259.32451-1-lersek@redhat.com> References: <20210608121259.32451-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: 4NNZE8NdHTF2rDOyBAj26Zmax1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623154408; bh=EuYhRwTqqVjf7YHAK8Qeur+PThqG/rB8MtVJB2oRJ2Q=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=PsiuSkHzI9BmCJ1EW1yGdIzwo8BO0lef3uQT3C5Tq8WKzYZSm9g5qHkrUN5QUepyVY1 G1JMIzbFico6cr0zXTkpwTl2/Ax+ykGM8+QQcgcoGPuS3TGWyj6sH3xv317O+z2n9/aEh RxWz5vrorTGSfjFXPNv65h0mqP46+9sYpXk= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The IScsiHexToBin() function has the following parser issues: (1) If the *subject sequence* in "HexStr" is empty, the function returns EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should be rejected. (2) The function mis-handles a "HexStr" that ends with a stray nibble. For example, if "HexStr" is "0xABC", the function decodes it to the bytes {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns EFI_SUCCESS. Such inputs should be rejected. (3) If an invalid hex char is found in "HexStr", the function treats it as end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be rejected. All of the above cases are remotely triggerable, as shown in a subsequent patch, which adds error checking to the IScsiHexToBin() call sites. While the initiator is not immediately compromised, incorrectly parsing CHAP_R from the target, in case of mutual authentication, is not great. Extend the interface contract of IScsiHexToBin() with EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement the new checks. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3356 Signed-off-by: Laszlo Ersek Reviewed-by: Maciej Rabeda Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMis= c.h index 28cf408cd5c5..404a482e57f3 100644 --- a/NetworkPkg/IScsiDxe/IScsiMisc.h +++ b/NetworkPkg/IScsiDxe/IScsiMisc.h @@ -155,38 +155,39 @@ IScsiAsciiStrToIp ( =20 **/ EFI_STATUS IScsiBinToHex ( IN UINT8 *BinBuffer, IN UINT32 BinLength, IN OUT CHAR8 *HexStr, IN OUT UINT32 *HexLength ); =20 /** Convert the hexadecimal string into a binary encoded buffer. =20 @param[in, out] BinBuffer The binary buffer. @param[in, out] BinLength Length of the binary buffer. @param[in] HexStr The hexadecimal string. =20 @retval EFI_SUCCESS The hexadecimal string is converted into a binary encoded buffer. + @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. **/ EFI_STATUS IScsiHexToBin ( IN OUT UINT8 *BinBuffer, IN OUT UINT32 *BinLength, IN CHAR8 *HexStr ); =20 =20 /** Convert the decimal-constant string or hex-constant string into a numeri= cal value. =20 @param[in] Str String in decimal or hex. =20 @return The numerical value. =20 **/ diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMis= c.c index 014700e87a5f..f0f4992b07c7 100644 --- a/NetworkPkg/IScsiDxe/IScsiMisc.c +++ b/NetworkPkg/IScsiDxe/IScsiMisc.c @@ -360,72 +360,80 @@ IScsiBinToHex ( HexStr[Index * 2 + 2] =3D IScsiHexString[BinBuffer[Index] >> 4]; HexStr[Index * 2 + 3] =3D IScsiHexString[BinBuffer[Index] & 0xf]; } =20 HexStr[Index * 2 + 2] =3D '\0'; =20 return EFI_SUCCESS; } =20 =20 /** Convert the hexadecimal string into a binary encoded buffer. =20 @param[in, out] BinBuffer The binary buffer. @param[in, out] BinLength Length of the binary buffer. @param[in] HexStr The hexadecimal string. =20 @retval EFI_SUCCESS The hexadecimal string is converted into a binary encoded buffer. + @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. **/ EFI_STATUS IScsiHexToBin ( IN OUT UINT8 *BinBuffer, IN OUT UINT32 *BinLength, IN CHAR8 *HexStr ) { UINTN Index; UINTN Length; UINT8 Digit; CHAR8 TemStr[2]; =20 ZeroMem (TemStr, sizeof (TemStr)); =20 // // Find out how many hex characters the string has. // if ((HexStr[0] =3D=3D '0') && ((HexStr[1] =3D=3D 'x') || (HexStr[1] =3D= =3D 'X'))) { HexStr +=3D 2; } =20 Length =3D AsciiStrLen (HexStr); =20 + // + // Reject an empty hex string; reject a stray nibble. + // + if (Length =3D=3D 0 || Length % 2 !=3D 0) { + return EFI_INVALID_PARAMETER; + } + for (Index =3D 0; Index < Length; Index ++) { TemStr[0] =3D HexStr[Index]; Digit =3D (UINT8) AsciiStrHexToUint64 (TemStr); if (Digit =3D=3D 0 && TemStr[0] !=3D '0') { // - // Invalid Lun Char. + // Invalid Hex Char. // - break; + return EFI_INVALID_PARAMETER; } if ((Index & 1) =3D=3D 0) { BinBuffer [Index/2] =3D Digit; } else { BinBuffer [Index/2] =3D (UINT8) ((BinBuffer [Index/2] << 4) + Digit); } } =20 *BinLength =3D (UINT32) ((Index + 1)/2); =20 return EFI_SUCCESS; } =20 =20 /** Convert the decimal-constant string or hex-constant string into a numeri= cal value. =20 @param[in] Str String in decimal or hex. =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76206): https://edk2.groups.io/g/devel/message/76206 Mute This Topic: https://groups.io/mt/83394118/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-