summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorNicholas Bellinger <nab@linux-iscsi.org>2011-11-28 01:02:07 -0800
committerNicholas Bellinger <nab@linux-iscsi.org>2011-12-14 11:28:09 +0000
commitbc704fb58f507deea84a4c047a3a71351f0c55aa (patch)
tree64372a6e7fbf1a54214fda904a81637d8bba1402 /drivers
parent8359cf43b9dccddeebb0d247146719a14ce6371a (diff)
downloadlinux-stable-bc704fb58f507deea84a4c047a3a71351f0c55aa.tar.gz
linux-stable-bc704fb58f507deea84a4c047a3a71351f0c55aa.tar.bz2
linux-stable-bc704fb58f507deea84a4c047a3a71351f0c55aa.zip
iscsi-target: fix chap identifier simple_strtoul usage
This patch makes chap_server_compute_md5() use proper unsigned long usage for the CHAP_I (identifier) and check for values beyond 255 as per RFC-1994. Reported-by: Joern Engel <joern@logfs.org> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/target/iscsi/iscsi_target_auth.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
index 92a2526f0a20..db0cf7c8adde 100644
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -165,7 +165,8 @@ static int chap_server_compute_md5(
unsigned int *nr_out_len)
{
char *endptr;
- unsigned char id, digest[MD5_SIGNATURE_SIZE];
+ unsigned long id;
+ unsigned char digest[MD5_SIGNATURE_SIZE];
unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2];
unsigned char identifier[10], *challenge = NULL;
unsigned char *challenge_binhex = NULL;
@@ -304,15 +305,18 @@ static int chap_server_compute_md5(
goto out;
}
- /* FIXME: What happens when simple_strtoul() return 256, 257, etc.? */
if (type == HEX)
id = simple_strtoul(&identifier[2], &endptr, 0);
else
id = simple_strtoul(identifier, &endptr, 0);
+ if (id > 255) {
+ pr_err("chap identifier: %lu greater than 255\n", id);
+ goto out;
+ }
/*
* RFC 1994 says Identifier is no more than octet (8 bits).
*/
- pr_debug("[server] Got CHAP_I=%d\n", id);
+ pr_debug("[server] Got CHAP_I=%lu\n", id);
/*
* Get CHAP_C.
*/