iscsi-target: chap auth shouldn't match username with trailing garbage

Linux-MTD Mailing List linux-mtd at lists.infradead.org
Fri Nov 22 17:59:09 EST 2013 

Gitweb:     http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=86784c6bdeeef78eed94d298be7a8879f6a97ee2
Commit:     86784c6bdeeef78eed94d298be7a8879f6a97ee2
Parent:     369653e4fb511928511b0ce81f41c812ff1f28b6
Author:     Eric Seppanen <eric at purestorage.com>
AuthorDate: Wed Nov 20 14:19:52 2013 -0800
Committer:  Nicholas Bellinger <nab at linux-iscsi.org>
CommitDate: Wed Nov 20 22:03:57 2013 -0800

    iscsi-target: chap auth shouldn't match username with trailing garbage
    
    In iSCSI negotiations with initiator CHAP enabled, usernames with
    trailing garbage are permitted, because the string comparison only
    checks the strlen of the configured username.
    
    e.g. "usernameXXXXX" will be permitted to match "username".
    
    Just check one more byte so the trailing null char is also matched.
    
    Signed-off-by: Eric Seppanen <eric at purestorage.com>
    Cc: <stable at vger.kernel.org> #3.1+
    Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
---
 drivers/target/iscsi/iscsi_target_auth.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
index 164b871..de77d9a 100644
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -146,6 +146,7 @@ static int chap_server_compute_md5(
 	unsigned char client_digest[MD5_SIGNATURE_SIZE];
 	unsigned char server_digest[MD5_SIGNATURE_SIZE];
 	unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH];
+	size_t compare_len;
 	struct iscsi_chap *chap = conn->auth_protocol;
 	struct crypto_hash *tfm;
 	struct hash_desc desc;
@@ -184,7 +185,9 @@ static int chap_server_compute_md5(
 		goto out;
 	}
 
-	if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) {
+	/* Include the terminating NULL in the compare */
+	compare_len = strlen(auth->userid) + 1;
+	if (strncmp(chap_n, auth->userid, compare_len) != 0) {
 		pr_err("CHAP_N values do not match!\n");
 		goto out;
 	}

More information about the linux-mtd-cvs mailing list