On Wed, 2013-11-20 at 14:19 -0800, Eric Seppanen wrote:
> In iSCSI negotiations with initiator CHAP enabled, usernames with
> trailing garbage are permitted, because the string comparison only
> checks the strlen of the configured username.
>
> e.g. "usernameXXXXX" will be permitted to match "username".
>
> Just check one more byte so the trailing null char is also matched.
>
> Signed-off-by: Eric Seppanen <eric@xxxxxxxxxxxxxxx>
> ---
Also applied, with a CC' to stable.
Thanks!
--nab
> drivers/target/iscsi/iscsi_target_auth.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
> index 7505fdd..3e80188 100644
> --- a/drivers/target/iscsi/iscsi_target_auth.c
> +++ b/drivers/target/iscsi/iscsi_target_auth.c
> @@ -146,6 +146,7 @@ static int chap_server_compute_md5(
> unsigned char client_digest[MD5_SIGNATURE_SIZE];
> unsigned char server_digest[MD5_SIGNATURE_SIZE];
> unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH];
> + size_t compare_len;
> struct iscsi_chap *chap = conn->auth_protocol;
> struct crypto_hash *tfm;
> struct hash_desc desc;
> @@ -184,7 +185,9 @@ static int chap_server_compute_md5(
> goto out;
> }
>
> - if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) {
> + /* Include the terminating NULL in the compare */
> + compare_len = strlen(auth->userid) + 1;
> + if (strncmp(chap_n, auth->userid, compare_len) != 0) {
> pr_err("CHAP_N values do not match!\n");
> goto out;
> }
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
