tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
iscsi-target: fix chap identifier simple_strtoul usage
This patch makes chap_server_compute_md5() use proper unsigned long
usage for the CHAP_I (identifier) and check for values beyond 255 as
per RFC-1994.
Reported-by: Joern Engel <joern@logfs.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+7
-3
+7
-3
drivers/target/iscsi/iscsi_target_auth.c
+7
-3
drivers/target/iscsi/iscsi_target_auth.c
···
165
165
unsigned int *nr_out_len)
166
166
{
167
167
char *endptr;
168
-
unsigned char id, digest[MD5_SIGNATURE_SIZE];
168
+
unsigned long id;
169
+
unsigned char digest[MD5_SIGNATURE_SIZE];
169
170
unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2];
170
171
unsigned char identifier[10], *challenge = NULL;
171
172
unsigned char *challenge_binhex = NULL;
···
305
304
goto out;
306
305
}
307
306
308
-
/* FIXME: What happens when simple_strtoul() return 256, 257, etc.? */
309
307
if (type == HEX)
310
308
id = simple_strtoul(&identifier[2], &endptr, 0);
311
309
else
312
310
id = simple_strtoul(identifier, &endptr, 0);
311
+
if (id > 255) {
312
+
pr_err("chap identifier: %lu greater than 255\n", id);
313
+
goto out;
314
+
}
313
315
/*
314
316
* RFC 1994 says Identifier is no more than octet (8 bits).
315
317
*/
316
-
pr_debug("[server] Got CHAP_I=%d\n", id);
318
+
pr_debug("[server] Got CHAP_I=%lu\n", id);
317
319
/*
318
320
* Get CHAP_C.
319
321
*/