Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.
A crafted AGPF config shows the presence of a signed integer overflow in agpf_check_agpf.
The complete UBSan output:
# WiRouterKeyRec --config crash.agpf -s Alice-48230959 WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta http://www.salvatorefresta.net src/agpf.c:445:17: runtime error: signed integer overflow: 48230959 - -2101480424 cannot be represented in type 'int'
Affected version:
1.1.2
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-08-08: bug discovered
2016-08-08: bug reported to upstream
2016-08-08: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
WiRouterKeyRec: signed integer overflow in agpf_get_serial (agpf.c)