NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing

The IScsiHexToBin() function has the following parser issues:

(1) If the *subject sequence* in "HexStr" is empty, the function returns
    EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should
    be rejected.

(2) The function mis-handles a "HexStr" that ends with a stray nibble. For
    example, if "HexStr" is "0xABC", the function decodes it to the bytes
    {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns
    EFI_SUCCESS. Such inputs should be rejected.

(3) If an invalid hex char is found in "HexStr", the function treats it as
    end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be
    rejected.

All of the above cases are remotely triggerable, as shown in a subsequent
patch, which adds error checking to the IScsiHexToBin() call sites. While
the initiator is not immediately compromised, incorrectly parsing CHAP_R
from the target, in case of mutual authentication, is not great.

Extend the interface contract of IScsiHexToBin() with
EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement
the new checks.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210608121259.32451-9-lersek@redhat.com>

diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index 014700e87a5f48d059f8a9563bb80338f8d59a00..f0f4992b07c797bf4493dddb4fb6c8f461643699 100644 (file)
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -376,6 +376,7 @@ IScsiBinToHex (
 \r
   @retval EFI_SUCCESS           The hexadecimal string is converted into a\r
                                 binary encoded buffer.\r
+  @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.\r
   @retval EFI_BUFFER_TOO_SMALL  The binary buffer is too small to hold the\r
                                 converted data.\r
 **/\r
@@ -402,14 +403,21 @@ IScsiHexToBin (
 \r
   Length = AsciiStrLen (HexStr);\r
 \r
+  //\r
+  // Reject an empty hex string; reject a stray nibble.\r
+  //\r
+  if (Length == 0 || Length % 2 != 0) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+\r
   for (Index = 0; Index < Length; Index ++) {\r
     TemStr[0] = HexStr[Index];\r
     Digit = (UINT8) AsciiStrHexToUint64 (TemStr);\r
     if (Digit == 0 && TemStr[0] != '0') {\r
       //\r
-      // Invalid Lun Char.\r
+      // Invalid Hex Char.\r
       //\r
-      break;\r
+      return EFI_INVALID_PARAMETER;\r
     }\r
     if ((Index & 1) == 0) {\r
       BinBuffer [Index/2] = Digit;\r

diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index 28cf408cd5c58b00bc1d1bcc09c0637d2ac41f7a..404a482e57f3fb62a35e0610ae50a856f81691a9 100644 (file)
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -171,6 +171,7 @@ IScsiBinToHex (
 \r
   @retval EFI_SUCCESS           The hexadecimal string is converted into a\r
                                 binary encoded buffer.\r
+  @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.\r
   @retval EFI_BUFFER_TOO_SMALL  The binary buffer is too small to hold the\r
                                 converted data.\r
 **/\r