Patch "iscsi-target: chap auth shouldn't match username with trailing garbage" has been added to the 3.10-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 30 Nov 2013 20:51:20 -0800

This is a note to let you know that I've just added the patch titled

    iscsi-target: chap auth shouldn't match username with trailing garbage

to the 3.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch
and it can be found in the queue-3.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 86784c6bdeeef78eed94d298be7a8879f6a97ee2 Mon Sep 17 00:00:00 2001
From: Eric Seppanen <eric@xxxxxxxxxxxxxxx>
Date: Wed, 20 Nov 2013 14:19:52 -0800
Subject: iscsi-target: chap auth shouldn't match username with trailing garbage

From: Eric Seppanen <eric@xxxxxxxxxxxxxxx>

commit 86784c6bdeeef78eed94d298be7a8879f6a97ee2 upstream.

In iSCSI negotiations with initiator CHAP enabled, usernames with
trailing garbage are permitted, because the string comparison only
checks the strlen of the configured username.

e.g. "usernameXXXXX" will be permitted to match "username".

Just check one more byte so the trailing null char is also matched.

Signed-off-by: Eric Seppanen <eric@xxxxxxxxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/target/iscsi/iscsi_target_auth.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -148,6 +148,7 @@ static int chap_server_compute_md5(
 	unsigned char client_digest[MD5_SIGNATURE_SIZE];
 	unsigned char server_digest[MD5_SIGNATURE_SIZE];
 	unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH];
+	size_t compare_len;
 	struct iscsi_chap *chap = conn->auth_protocol;
 	struct crypto_hash *tfm;
 	struct hash_desc desc;
@@ -186,7 +187,9 @@ static int chap_server_compute_md5(
 		goto out;
 	}
 
-	if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) {
+	/* Include the terminating NULL in the compare */
+	compare_len = strlen(auth->userid) + 1;
+	if (strncmp(chap_n, auth->userid, compare_len) != 0) {
 		pr_err("CHAP_N values do not match!\n");
 		goto out;
 	}


Patches currently in stable-queue which might be from eric@xxxxxxxxxxxxxxx are

queue-3.10/iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch
queue-3.10/iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







