From bc704fb58f507deea84a4c047a3a71351f0c55aa Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Mon, 28 Nov 2011 01:02:07 -0800 Subject: iscsi-target: fix chap identifier simple_strtoul usage This patch makes chap_server_compute_md5() use proper unsigned long usage for the CHAP_I (identifier) and check for values beyond 255 as per RFC-1994. Reported-by: Joern Engel Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target_auth.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'drivers/target/iscsi') diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c index 92a2526f0a20..db0cf7c8adde 100644 --- a/drivers/target/iscsi/iscsi_target_auth.c +++ b/drivers/target/iscsi/iscsi_target_auth.c @@ -165,7 +165,8 @@ static int chap_server_compute_md5( unsigned int *nr_out_len) { char *endptr; - unsigned char id, digest[MD5_SIGNATURE_SIZE]; + unsigned long id; + unsigned char digest[MD5_SIGNATURE_SIZE]; unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; unsigned char identifier[10], *challenge = NULL; unsigned char *challenge_binhex = NULL; @@ -304,15 +305,18 @@ static int chap_server_compute_md5( goto out; } - /* FIXME: What happens when simple_strtoul() return 256, 257, etc.? */ if (type == HEX) id = simple_strtoul(&identifier[2], &endptr, 0); else id = simple_strtoul(identifier, &endptr, 0); + if (id > 255) { + pr_err("chap identifier: %lu greater than 255\n", id); + goto out; + } /* * RFC 1994 says Identifier is no more than octet (8 bits). */ - pr_debug("[server] Got CHAP_I=%d\n", id); + pr_debug("[server] Got CHAP_I=%lu\n", id); /* * Get CHAP_C. */ -- cgit