[Code-Crunchers] ASN1 parsing bug in wpa_supplicant
Gil Dabah
arkon at ragestorm.net
Tue Oct 23 15:02:14 CDT 2007
Well, I don't like the way the code is written.
That it first accesses the data, which can lead to two-bytes read
exceeding the real buffer and only then check the pos and return a failure.
That can be an access violation if these were two last bytes of a
page... But unlikely, of course. :)
Anyhow, we are dealing here with read buffer overflow.Which are possible
to exploit and it really depends how the validation code (caller code)
works. Chances say it's probably won't be exploitable.
The underflow test pretty kicks all overflows.
But I guess maybe you meant something more serious?
Sebastian Krahmer wrote:
> Maybe one of you guys is able to see what I mean :-)
> http://c-skills.blogspot.com
> This should affect lotsa more ASN1 implementations.
>
> cheers,
> Sebastian
>
>
More information about the Code-Crunchers
mailing list