)]}'
{
  "commit": "85db7391310b1304d2dc8ae3b0b12105a9567147",
  "tree": "fbca8bb8fc0689c9c9a52977dc47b66a39d57c8a",
  "parents": [
    "bf33e01f88388c43e285492a63e539df6ffed64c"
  ],
  "author": {
    "name": "Alexandru Hossu",
    "email": "hossu.alexandru@gmail.com",
    "time": "Thu May 21 17:11:21 2026 +0200"
  },
  "committer": {
    "name": "Martin K. Petersen",
    "email": "martin.petersen@oracle.com",
    "time": "Fri May 22 23:06:00 2026 -0400"
  },
  "message": "scsi: target: iscsi: Validate CHAP_R length before base64 decode\n\nchap_server_compute_hash() allocates client_digest as\nkzalloc(chap-\u003edigest_size) and then, for BASE64-encoded responses,\npasses chap_r directly to chap_base64_decode() without checking whether\nthe input length could produce more than digest_size bytes of output.\n\nchap_base64_decode() writes to the destination unconditionally as long\nas there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and\nthe \"0b\" prefix stripped by extract_param(), up to 127 base64 characters\ncan reach the decoder. 127 characters decode to 95 bytes. For SHA-256\n(digest_size\u003d32) this overflows client_digest by 63 bytes; for MD5\n(digest_size\u003d16) the overflow is 79 bytes.\n\nThe length check at line 344 fires after the write has already happened.\n\nThe HEX branch in the same switch statement already validates the length\nup front. Apply the same approach to the BASE64 branch: strip trailing\nbase64 padding characters, then reject any input whose data length\nexceeds DIV_ROUND_UP(digest_size * 4, 3) before calling the decoder.\n\nStripping trailing \u0027\u003d\u0027 before the comparison handles both padded and\nunpadded encodings. chap_base64_decode() already returns early on \u0027\u003d\u0027,\nso the full original string is still passed to the decoder unchanged.\n\nThe mutual CHAP path decodes CHAP_C into initiatorchg_binhex, which is\nkzalloc(CHAP_CHALLENGE_STR_LEN). extract_param() caps initiatorchg at\nCHAP_CHALLENGE_STR_LEN characters, so at most CHAP_CHALLENGE_STR_LEN-1\nbase64 characters reach the decoder. The maximum decoded size,\nDIV_ROUND_UP((CHAP_CHALLENGE_STR_LEN-1) * 3, 4), is less than\nCHAP_CHALLENGE_STR_LEN, so no overflow is possible there. A comment is\nadded at the call site to document this.\n\nFixes: 1e5733883421 (\"scsi: target: iscsi: Support base64 in CHAP\")\nCc: stable@vger.kernel.org\nSigned-off-by: Alexandru Hossu \u003chossu.alexandru@gmail.com\u003e\nReviewed-by: David Disseldorp \u003cddiss@suse.de\u003e\nLink: https://patch.msgid.link/20260521151121.808477-1-hossu.alexandru@gmail.com\nSigned-off-by: Martin K. Petersen \u003cmartin.petersen@oracle.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "c46c69a28e97eb0c6171d665b33eb374eeb4379c",
      "old_mode": 33188,
      "old_path": "drivers/target/iscsi/iscsi_target_auth.c",
      "new_id": "a3ad2d244dbee1a3f50b9a86a8140f2ba7114741",
      "new_mode": 33188,
      "new_path": "drivers/target/iscsi/iscsi_target_auth.c"
    }
  ]
}