diff options
author | Nicholas Bellinger <nab@linux-iscsi.org> | 2011-11-28 01:02:07 -0800 |
---|---|---|
committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2011-12-14 11:28:09 +0000 |
commit | bc704fb58f507deea84a4c047a3a71351f0c55aa (patch) | |
tree | 64372a6e7fbf1a54214fda904a81637d8bba1402 /drivers | |
parent | 8359cf43b9dccddeebb0d247146719a14ce6371a (diff) | |
download | linux-stable-bc704fb58f507deea84a4c047a3a71351f0c55aa.tar.gz linux-stable-bc704fb58f507deea84a4c047a3a71351f0c55aa.tar.bz2 linux-stable-bc704fb58f507deea84a4c047a3a71351f0c55aa.zip |
iscsi-target: fix chap identifier simple_strtoul usage
This patch makes chap_server_compute_md5() use proper unsigned long
usage for the CHAP_I (identifier) and check for values beyond 255 as
per RFC-1994.
Reported-by: Joern Engel <joern@logfs.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/target/iscsi/iscsi_target_auth.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c index 92a2526f0a20..db0cf7c8adde 100644 --- a/drivers/target/iscsi/iscsi_target_auth.c +++ b/drivers/target/iscsi/iscsi_target_auth.c @@ -165,7 +165,8 @@ static int chap_server_compute_md5( unsigned int *nr_out_len) { char *endptr; - unsigned char id, digest[MD5_SIGNATURE_SIZE]; + unsigned long id; + unsigned char digest[MD5_SIGNATURE_SIZE]; unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; unsigned char identifier[10], *challenge = NULL; unsigned char *challenge_binhex = NULL; @@ -304,15 +305,18 @@ static int chap_server_compute_md5( goto out; } - /* FIXME: What happens when simple_strtoul() return 256, 257, etc.? */ if (type == HEX) id = simple_strtoul(&identifier[2], &endptr, 0); else id = simple_strtoul(identifier, &endptr, 0); + if (id > 255) { + pr_err("chap identifier: %lu greater than 255\n", id); + goto out; + } /* * RFC 1994 says Identifier is no more than octet (8 bits). */ - pr_debug("[server] Got CHAP_I=%d\n", id); + pr_debug("[server] Got CHAP_I=%lu\n", id); /* * Get CHAP_C. */ |