From 79c8488d768ea02939474374a18c536425c36de3 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 27 Apr 2021 12:10:12 +0200 Subject: [PATCH 10/10] NetworkPkg/IScsiDxe: check IScsiHexToBin() return values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Laszlo Ersek RH-MergeRequest: 3: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [rhel-8.4.0.z] RH-Commit: [10/10] 171f8f1c114e0028d83bcb1ca46844a99a825b29 RH-Bugzilla: 1956676 RH-Acked-by: Philippe Mathieu-Daudé IScsiDxe (that is, the initiator) receives two hex-encoded strings from the iSCSI target: - CHAP_C, where the target challenges the initiator, - CHAP_R, where the target answers the challenge from the initiator (in case the initiator wants mutual authentication). Accordingly, we have two IScsiHexToBin() call sites: - At the CHAP_C decoding site, check whether the decoding succeeds. The decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, which is a permissible restriction on the target, per . Shorter challenges from the target are acceptable. - At the CHAP_R decoding site, enforce that the decoding both succeed, and provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest calculated by the target, therefore it must be of fixed size. We may only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daudé Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Maciej Rabeda Upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=3356, c#17...c#22 --- NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c index dbe3c8ef46..7e930c0d1e 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived ( AuthData->InIdentifier = (UINT32) Result; AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); - IScsiHexToBin ( - (UINT8 *) AuthData->InChallenge, - &AuthData->InChallengeLength, - Challenge - ); + Status = IScsiHexToBin ( + (UINT8 *) AuthData->InChallenge, + &AuthData->InChallengeLength, + Challenge + ); + if (EFI_ERROR (Status)) { + Status = EFI_PROTOCOL_ERROR; + goto ON_EXIT; + } Status = IScsiCHAPCalculateResponse ( AuthData->InIdentifier, AuthData->AuthConfig->CHAPSecret, @@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived ( } RspLen = ISCSI_CHAP_RSP_LEN; - IScsiHexToBin (TargetRsp, &RspLen, Response); + Status = IScsiHexToBin (TargetRsp, &RspLen, Response); + if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) { + Status = EFI_PROTOCOL_ERROR; + goto ON_EXIT; + } // // Check the CHAP Name and Response replied by Target. -- 2.27.0