From: David Disseldorp <ddiss@suse.de>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: "Martin K . Petersen" <martin.petersen@oracle.com>,
Bart Van Assche <bvanassche@acm.org>,
target-devel@vger.kernel.org, linux-scsi@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] scsi: target: iscsi: validate CHAP_R length before base64 decode
Date: Tue, 19 May 2026 00:40:26 +1000 [thread overview]
Message-ID: <20260519004026.3b7e07a2.ddiss@suse.de> (raw)
In-Reply-To: <20260518121811.385350-1-hossu.alexandru@gmail.com>
Hi Alexandru,
Thanks for the report and follow up patch...
On Mon, 18 May 2026 14:18:11 +0200, Alexandru Hossu wrote:
> chap_server_compute_hash() allocates client_digest as
> kzalloc(chap->digest_size) and then, for BASE64-encoded responses,
> passes chap_r directly to chap_base64_decode() without checking whether
> the input length could produce more than digest_size bytes of output.
>
> chap_base64_decode() writes to the destination unconditionally as long
> as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and
> the "0b" prefix stripped by extract_param(), up to 127 base64 characters
> can reach the decoder. 127 characters decode to 95 bytes. For SHA-256
> (digest_size=32) this overflows client_digest by 63 bytes; for MD5
> (digest_size=16) the overflow is 79 bytes.
>
> The length check at line 344 fires after the write has already happened.
>
> The HEX branch in the same switch statement already validates the length
> up front. Apply the same approach to the BASE64 branch: reject any input
> whose maximum decoded length exceeds digest_size before calling the
> decoder.
>
> The formula (digest_size * 4 + 2) / 3 is the ceiling of digest_size *
> 4/3, i.e. the maximum number of base64 characters that can decode to
> exactly digest_size bytes.
>
> Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/target/iscsi/iscsi_target_auth.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
> index c46c69a..653be1a 100644
> --- a/drivers/target/iscsi/iscsi_target_auth.c
> +++ b/drivers/target/iscsi/iscsi_target_auth.c
> @@ -341,6 +341,10 @@ static int chap_server_compute_hash(
> }
> break;
> case BASE64:
> + if (strlen(chap_r) > (chap->digest_size * 4 + 2) / 3) {
nit: this could be DIV_ROUND_UP(chap->digest_size * 4, 3) to match
base64.h BASE64_CHARS(), right?
> + pr_err("Malformed CHAP_R: base64 payload too long\n");
> + goto out;
> + }
> if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
> chap->digest_size) {
> pr_err("Malformed CHAP_R: invalid BASE64\n");
The above check doesn't appear to catch undersize base64 CHAP responses,
unlike the hex path. How does that affect the handshake?
Finally, don't we need a similar check for the mutual CHAP code-path?
Thanks, David
next prev parent reply other threads:[~2026-05-18 14:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 12:18 [PATCH] scsi: target: iscsi: validate CHAP_R length before base64 decode Alexandru Hossu
2026-05-18 14:40 ` David Disseldorp [this message]
2026-05-18 23:50 ` [PATCH v2] " Alexandru Hossu
2026-05-20 15:56 ` Maurizio Lombardi
2026-05-20 16:53 ` Alexandru Hossu
2026-05-20 18:02 ` Dmitry Bogdanov
2026-05-21 0:43 ` Alexandru Hossu
2026-05-18 23:51 ` [PATCH] " Alexandru Hossu
2026-05-20 16:52 ` [PATCH v3] " Alexandru Hossu
2026-05-21 14:38 ` David Disseldorp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519004026.3b7e07a2.ddiss@suse.de \
--to=ddiss@suse.de \
--cc=bvanassche@acm.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox