From de86f03cd7ed849ff62b1591c5fd34aeb1792887 Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Tue, 8 Jun 2021 14:12:59 +0200

Subject: [PATCH 10/11] NetworkPkg/IScsiDxe: check IScsiHexToBin() return

 values

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Laszlo Ersek <lersek@redhat.com>

RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]

RH-Commit: [10/10] 840f483839ce598396bb6db8ec1f0f50689b8215

RH-Bugzilla: 1961100

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

IScsiDxe (that is, the initiator) receives two hex-encoded strings from

the iSCSI target:

- CHAP_C, where the target challenges the initiator,

- CHAP_R, where the target answers the challenge from the initiator (in

  case the initiator wants mutual authentication).

Accordingly, we have two IScsiHexToBin() call sites:

- At the CHAP_C decoding site, check whether the decoding succeeds. The

  decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,

  which is a permissible restriction on the target, per

  <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges

  from the target are acceptable.

- At the CHAP_R decoding site, enforce that the decoding both succeed, and

  provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest

  calculated by the target, therefore it must be of fixed size. We may

  only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Cc: Philippe Mathieu-Daudé <philmd@redhat.com>

Cc: Siyuan Fu <siyuan.fu@intel.com>

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Message-Id: <20210608121259.32451-11-lersek@redhat.com>

(cherry picked from commit b8649cf2a3e673a4a8cb6c255e394b354b771550)

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------

 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c

index dbe3c8ef46..7e930c0d1e 100644

--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c

+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c

@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (

     AuthData->InIdentifier      = (UINT32) Result;

     AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);

-    IScsiHexToBin (

-      (UINT8 *) AuthData->InChallenge,

-      &AuthData->InChallengeLength,

-      Challenge

-      );

+    Status = IScsiHexToBin (

+               (UINT8 *) AuthData->InChallenge,

+               &AuthData->InChallengeLength,

+               Challenge

+               );

+    if (EFI_ERROR (Status)) {

+      Status = EFI_PROTOCOL_ERROR;

+      goto ON_EXIT;

+    }

     Status = IScsiCHAPCalculateResponse (

                AuthData->InIdentifier,

                AuthData->AuthConfig->CHAPSecret,

@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (

     }

     RspLen = ISCSI_CHAP_RSP_LEN;

-    IScsiHexToBin (TargetRsp, &RspLen, Response);

+    Status = IScsiHexToBin (TargetRsp, &RspLen, Response);

+    if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {

+      Status = EFI_PROTOCOL_ERROR;

+      goto ON_EXIT;

+    }

     //

     // Check the CHAP Name and Response replied by Target.

-- 

2.27.0