From: David Disseldorp <ddiss@suse.de>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: "Martin K . Petersen" <martin.petersen@oracle.com>,
Bart Van Assche <bvanassche@acm.org>,
target-devel@vger.kernel.org, linux-scsi@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] scsi: target: iscsi: validate CHAP_R length before base64 decode
Date: Tue, 19 May 2026 00:40:26 +1000 [thread overview]
Message-ID: <20260519004026.3b7e07a2.ddiss@suse.de> (raw)
In-Reply-To: <20260518121811.385350-1-hossu.alexandru@gmail.com>
Hi Alexandru,
Thanks for the report and follow up patch...
On Mon, 18 May 2026 14:18:11 +0200, Alexandru Hossu wrote:
> chap_server_compute_hash() allocates client_digest as
> kzalloc(chap->digest_size) and then, for BASE64-encoded responses,
> passes chap_r directly to chap_base64_decode() without checking whether
> the input length could produce more than digest_size bytes of output.
>
> chap_base64_decode() writes to the destination unconditionally as long
> as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and
> the "0b" prefix stripped by extract_param(), up to 127 base64 characters
> can reach the decoder. 127 characters decode to 95 bytes. For SHA-256
> (digest_size=32) this overflows client_digest by 63 bytes; for MD5
> (digest_size=16) the overflow is 79 bytes.
>
> The length check at line 344 fires after the write has already happened.
>
> The HEX branch in the same switch statement already validates the length
> up front. Apply the same approach to the BASE64 branch: reject any input
> whose maximum decoded length exceeds digest_size before calling the
> decoder.
>
> The formula (digest_size * 4 + 2) / 3 is the ceiling of digest_size *
> 4/3, i.e. the maximum number of base64 characters that can decode to
> exactly digest_size bytes.
>
> Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/target/iscsi/iscsi_target_auth.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
> index c46c69a..653be1a 100644
> --- a/drivers/target/iscsi/iscsi_target_auth.c
> +++ b/drivers/target/iscsi/iscsi_target_auth.c
> @@ -341,6 +341,10 @@ static int chap_server_compute_hash(
> }
> break;
> case BASE64:
> + if (strlen(chap_r) > (chap->digest_size * 4 + 2) / 3) {
nit: this could be DIV_ROUND_UP(chap->digest_size * 4, 3) to match
base64.h BASE64_CHARS(), right?
> + pr_err("Malformed CHAP_R: base64 payload too long\n");
> + goto out;
> + }
> if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
> chap->digest_size) {
> pr_err("Malformed CHAP_R: invalid BASE64\n");
The above check doesn't appear to catch undersize base64 CHAP responses,
unlike the hex path. How does that affect the handshake?
Finally, don't we need a similar check for the mutual CHAP code-path?
Thanks, David
next prev parent reply other threads:[~2026-05-18 14:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 12:18 [PATCH] scsi: target: iscsi: validate CHAP_R length before base64 decode Alexandru Hossu
2026-05-18 14:40 ` David Disseldorp [this message]
2026-05-18 23:50 ` [PATCH v2] " Alexandru Hossu
2026-05-20 15:56 ` Maurizio Lombardi
2026-05-20 16:53 ` Alexandru Hossu
2026-05-20 18:02 ` Dmitry Bogdanov
2026-05-21 0:43 ` Alexandru Hossu
2026-05-22 9:53 ` Hannes Reinecke
2026-05-18 23:51 ` [PATCH] " Alexandru Hossu
2026-05-20 16:52 ` [PATCH v3] " Alexandru Hossu
2026-05-21 14:38 ` David Disseldorp
2026-05-22 9:56 ` Hannes Reinecke
2026-05-22 10:37 ` Alexandru Hossu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519004026.3b7e07a2.ddiss@suse.de \
--to=ddiss@suse.de \
--cc=bvanassche@acm.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.