NetworkPkg/IScsiDxe: check IScsiHexToBin() return values

IScsiDxe (that is, the initiator) receives two hex-encoded strings from
the iSCSI target:

- CHAP_C, where the target challenges the initiator,

- CHAP_R, where the target answers the challenge from the initiator (in
  case the initiator wants mutual authentication).

Accordingly, we have two IScsiHexToBin() call sites:

- At the CHAP_C decoding site, check whether the decoding succeeds. The
  decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
  which is a permissible restriction on the target, per
  <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
  from the target are acceptable.

- At the CHAP_R decoding site, enforce that the decoding both succeed, and
  provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
  calculated by the target, therefore it must be of fixed size. We may
  only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-11-lersek@redhat.com>

diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index dbe3c8ef46f9743b854f6991a7f35d8f9f49bd67..7e930c0d1eab8b525e419d15de08bcc39a2c6f61 100644 (file)
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
 \r
     AuthData->InIdentifier      = (UINT32) Result;\r
     AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);\r
-    IScsiHexToBin (\r
-      (UINT8 *) AuthData->InChallenge,\r
-      &AuthData->InChallengeLength,\r
-      Challenge\r
-      );\r
+    Status = IScsiHexToBin (\r
+               (UINT8 *) AuthData->InChallenge,\r
+               &AuthData->InChallengeLength,\r
+               Challenge\r
+               );\r
+    if (EFI_ERROR (Status)) {\r
+      Status = EFI_PROTOCOL_ERROR;\r
+      goto ON_EXIT;\r
+    }\r
     Status = IScsiCHAPCalculateResponse (\r
                AuthData->InIdentifier,\r
                AuthData->AuthConfig->CHAPSecret,\r
@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
     }\r
 \r
     RspLen = ISCSI_CHAP_RSP_LEN;\r
-    IScsiHexToBin (TargetRsp, &RspLen, Response);\r
+    Status = IScsiHexToBin (TargetRsp, &RspLen, Response);\r
+    if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {\r
+      Status = EFI_PROTOCOL_ERROR;\r
+      goto ON_EXIT;\r
+    }\r
 \r
     //\r
     // Check the CHAP Name and Response replied by Target.\r