robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[iscsi] Eliminate variable-length stack allocations in CHAP handlers 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
master
Michael Brown 4 years ago
parent
446e8f14e8
commit
e2e29e7ae3
1 changed files with 41 additions and 11 deletions
Unified View Show Diff Stats
  1. 41
    11
      src/net/tcp/iscsi.c

+ 41
- 11
src/net/tcp/iscsi.c View File

980 
  */
 980 
  */
981 
 static int iscsi_handle_chap_c_value ( struct iscsi_session *iscsi,
 981 
 static int iscsi_handle_chap_c_value ( struct iscsi_session *iscsi,
982 
 				       const char *value ) {
 982 
 				       const char *value ) {
983 
-	uint8_t buf[ strlen ( value ) ]; /* Decoding never expands data */
983 
+	uint8_t *buf;
984 
 	unsigned int i;
 984 
 	unsigned int i;
985 
 	int len;
 985 
 	int len;
986 
 	int rc;
 986 
 	int rc;
987
987
988 
+	/* Allocate decoding buffer */
989 
+	len = strlen ( value ); /* Decoding never expands data */
990 
+	buf = malloc ( len );
991 
+	if ( ! buf ) {
992 
+		rc = -ENOMEM;
993 
+		goto err_alloc;
994 
+	}
995 
+
988 
 	/* Process challenge */
 996 
 	/* Process challenge */
989 
-	len = iscsi_large_binary_decode ( value, buf, sizeof ( buf ) );
997 
+	len = iscsi_large_binary_decode ( value, buf, len );
990 
 	if ( len < 0 ) {
 998 
 	if ( len < 0 ) {
991 
 		rc = len;
 999 
 		rc = len;
992 
 		DBGC ( iscsi, "iSCSI %p invalid CHAP challenge \"%s\": %s\n",
 1000 
 		DBGC ( iscsi, "iSCSI %p invalid CHAP challenge \"%s\": %s\n",
993 
 		       iscsi, value, strerror ( rc ) );
 1001 
 		       iscsi, value, strerror ( rc ) );
994 
-		return rc;
1002 
+		goto err_decode;
995 
 	}
 1003 
 	}
996 
 	chap_update ( &iscsi->chap, buf, len );
 1004 
 	chap_update ( &iscsi->chap, buf, len );
997
1005
1009 
 		}
 1017 
 		}
1010 
 	}
 1018 
 	}
1011
1019
1012 
-	return 0;
1020 
+	/* Success */
1021 
+	rc = 0;
1022 
+
1023 
+ err_decode:
1024 
+	free ( buf );
1025 
+ err_alloc:
1026 
+	return rc;
1013 
 }
 1027 
 }
1014
1028
1015 
 /**
 1029 
 /**
1050 
  */
 1064 
  */
1051 
 static int iscsi_handle_chap_r_value ( struct iscsi_session *iscsi,
 1065 
 static int iscsi_handle_chap_r_value ( struct iscsi_session *iscsi,
1052 
 				       const char *value ) {
 1066 
 				       const char *value ) {
1053 
-	uint8_t buf[ strlen ( value ) ]; /* Decoding never expands data */
1067 
+	uint8_t *buf;
1054 
 	int len;
 1068 
 	int len;
1055 
 	int rc;
 1069 
 	int rc;
1056
1070
1059 
 	if ( ( rc = chap_init ( &iscsi->chap, &md5_algorithm ) ) != 0 ) {
 1073 
 	if ( ( rc = chap_init ( &iscsi->chap, &md5_algorithm ) ) != 0 ) {
1060 
 		DBGC ( iscsi, "iSCSI %p could not initialise CHAP: %s\n",
 1074 
 		DBGC ( iscsi, "iSCSI %p could not initialise CHAP: %s\n",
1061 
 		       iscsi, strerror ( rc ) );
 1075 
 		       iscsi, strerror ( rc ) );
1062 
-		return rc;
1076 
+		goto err_chap_init;
1063 
 	}
 1077 
 	}
1064 
 	chap_set_identifier ( &iscsi->chap, iscsi->chap_challenge[0] );
 1078 
 	chap_set_identifier ( &iscsi->chap, iscsi->chap_challenge[0] );
1065 
 	if ( iscsi->target_password ) {
 1079 
 	if ( iscsi->target_password ) {
1070 
 		      ( sizeof ( iscsi->chap_challenge ) - 1 ) );
 1084 
 		      ( sizeof ( iscsi->chap_challenge ) - 1 ) );
1071 
 	chap_respond ( &iscsi->chap );
 1085 
 	chap_respond ( &iscsi->chap );
1072
1086
1087 
+	/* Allocate decoding buffer */
1088 
+	len = strlen ( value ); /* Decoding never expands data */
1089 
+	buf = malloc ( len );
1090 
+	if ( ! buf ) {
1091 
+		rc = -ENOMEM;
1092 
+		goto err_alloc;
1093 
+	}
1094 
+
1073 
 	/* Process response */
 1095 
 	/* Process response */
1074 
-	len = iscsi_large_binary_decode ( value, buf, sizeof ( buf ) );
1096 
+	len = iscsi_large_binary_decode ( value, buf, len );
1075 
 	if ( len < 0 ) {
 1097 
 	if ( len < 0 ) {
1076 
 		rc = len;
 1098 
 		rc = len;
1077 
 		DBGC ( iscsi, "iSCSI %p invalid CHAP response \"%s\": %s\n",
 1099 
 		DBGC ( iscsi, "iSCSI %p invalid CHAP response \"%s\": %s\n",
1078 
 		       iscsi, value, strerror ( rc ) );
 1100 
 		       iscsi, value, strerror ( rc ) );
1079 
-		return rc;
1101 
+		goto err_decode;
1080 
 	}
 1102 
 	}
1081
1103
1082 
 	/* Check CHAP response */
 1104 
 	/* Check CHAP response */
1083 
 	if ( len != ( int ) iscsi->chap.response_len ) {
 1105 
 	if ( len != ( int ) iscsi->chap.response_len ) {
1084 
 		DBGC ( iscsi, "iSCSI %p invalid CHAP response length\n",
 1106 
 		DBGC ( iscsi, "iSCSI %p invalid CHAP response length\n",
1085 
 		       iscsi );
 1107 
 		       iscsi );
1086 
-		return -EPROTO_INVALID_CHAP_RESPONSE;
1108 
+		rc = -EPROTO_INVALID_CHAP_RESPONSE;
1109 
+		goto err_response_len;
1087 
 	}
 1110 
 	}
1088 
 	if ( memcmp ( buf, iscsi->chap.response, len ) != 0 ) {
 1111 
 	if ( memcmp ( buf, iscsi->chap.response, len ) != 0 ) {
1089 
 		DBGC ( iscsi, "iSCSI %p incorrect CHAP response \"%s\"\n",
 1112 
 		DBGC ( iscsi, "iSCSI %p incorrect CHAP response \"%s\"\n",
1090 
 		       iscsi, value );
 1113 
 		       iscsi, value );
1091 
-		return -EACCES_INCORRECT_TARGET_PASSWORD;
1114 
+		rc = -EACCES_INCORRECT_TARGET_PASSWORD;
1115 
+		goto err_response;
1092 
 	}
 1116 
 	}
1093
1117
1094 
 	/* Mark session as authenticated */
 1118 
 	/* Mark session as authenticated */
1095 
 	iscsi->status |= ISCSI_STATUS_AUTH_REVERSE_OK;
 1119 
 	iscsi->status |= ISCSI_STATUS_AUTH_REVERSE_OK;
1096
1120
1097 
-	return 0;
1121 
+ err_response:
1122 
+ err_response_len:
1123 
+ err_decode:
1124 
+	free ( buf );
1125 
+ err_alloc:
1126 
+ err_chap_init:
1127 
+	return rc;
1098 
 }
 1128 
 }
1099
1129
1100 
 /** An iSCSI text string that we want to handle */
 1130 
 /** An iSCSI text string that we want to handle */

Write Preview
Loading…
Cancel
Save