WiRouterKeyRec: signed integer overflow in agpf_get_serial (agpf.c)

Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.

A crafted AGPF config shows the presence of a signed integer overflow in agpf_check_agpf.

The complete UBSan output:

# WiRouterKeyRec --config crash.agpf -s Alice-48230959

WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta
http://www.salvatorefresta.net

src/agpf.c:445:17: runtime error: signed integer overflow: 48230959 - -2101480424 cannot be represented in type 'int'

Affected version:
1.1.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-08: bug discovered
2016-08-08: bug reported to upstream
2016-08-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

WiRouterKeyRec: signed integer overflow in agpf_get_serial (agpf.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.