iscsi-target: fix chap identifier simple_strtoul usage

This patch makes chap_server_compute_md5() use proper unsigned long
usage for the CHAP_I (identifier) and check for values beyond 255 as
per RFC-1994.

Reported-by: Joern Engel <joern@logfs.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
index 92a2526f0a20210a870391f7b24f2a93d0015609..db0cf7c8adde04db2b272660a6047297fa848a78 100644 (file)
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -165,7 +165,8 @@ static int chap_server_compute_md5(
        unsigned int *nr_out_len)
 {
        char *endptr;
-       unsigned char id, digest[MD5_SIGNATURE_SIZE];
+       unsigned long id;
+       unsigned char digest[MD5_SIGNATURE_SIZE];
        unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2];
        unsigned char identifier[10], *challenge = NULL;
        unsigned char *challenge_binhex = NULL;
@@ -304,15 +305,18 @@ static int chap_server_compute_md5(
                goto out;
        }
 
-       /* FIXME: What happens when simple_strtoul() return 256, 257, etc.? */
        if (type == HEX)
                id = simple_strtoul(&identifier[2], &endptr, 0);
        else
                id = simple_strtoul(identifier, &endptr, 0);
+       if (id > 255) {
+               pr_err("chap identifier: %lu greater than 255\n", id);
+               goto out;
+       }
        /*
         * RFC 1994 says Identifier is no more than octet (8 bits).
         */
-       pr_debug("[server] Got CHAP_I=%d\n", id);
+       pr_debug("[server] Got CHAP_I=%lu\n", id);
        /*
         * Get CHAP_C.
         */