[pkg-wpa-devel] Bug#528639: wpasupplicant: buffer overflow in _wpa_hexdump
Jan Christoph Nordholz
hesso at pool.math.tu-berlin.de
Thu May 14 10:28:25 UTC 2009
Package: wpasupplicant
Version: 0.6.9-2
Severity: important
Tags: security
Hi,
your syslog patch changes _wpa_hexdump() to create the debug string in a
local buffer on the stack before emitting it - however you boldly assume
that 2048B "should be enough for everyone". When connecting to a WPA-EAP
network here, my network card receives a 1028B packet during the handshake,
which *easily* exceeds the 2048B for the hexdump string and smashes the
stack. Maybe you should take the input length into account?
Regards,
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-wpa-devel/attachments/20090514/ea0de718/attachment.pgp>
More information about the Pkg-wpa-devel
mailing list