[Code-Crunchers] ASN1 parsing bug in wpa_supplicant
Sebastian Krahmer
krahmer at suse.de
Wed Oct 24 07:42:27 CDT 2007
On Tue, 23 Oct 2007, Gil Dabah wrote:
Indeed, most implementations suffer from accessing memory out-of-range
when reading the length value. However there is a more serious bug
which makes the function return non-error but leaving data in the hdr
which leads to overflows later.
l8er,
S.
> Well, I don't like the way the code is written.
> That it first accesses the data, which can lead to two-bytes read exceeding
> the real buffer and only then check the pos and return a failure.
> That can be an access violation if these were two last bytes of a page... But
> unlikely, of course. :)
>
> Anyhow, we are dealing here with read buffer overflow.Which are possible to
> exploit and it really depends how the validation code (caller code) works.
> Chances say it's probably won't be exploitable.
>
> The underflow test pretty kicks all overflows.
> But I guess maybe you meant something more serious?
>
>
> Sebastian Krahmer wrote:
> > Maybe one of you guys is able to see what I mean :-)
> > http://c-skills.blogspot.com
> > This should affect lotsa more ASN1 implementations.
> >
> > cheers,
> > Sebastian
> >
> >
>
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Code-Crunchers
mailing list