Of course you all found the bug I was talking about after I uploaded the correct
screenshot! ;-) Bash me. You even found minor other issues which should however
not be exploitable.
Nevertheless, wpa_supplicant has got an excellent code structure which is fun to review.
If you ever want to learn how to write your own TLSv1 implementation, have a look at their code.
Tuesday, October 23, 2007
There is an interesting bug within wpa_supplicant's ASN.1 parsing. Usually, it uses the OpenSSL
libraray to obtain and parse the X509 certificates. However, it can be compiled to use built-in
X509 e.g. ASN.1 parsing routines to do so. Nearly all X509 functions use
asn1_get_next(). There is a buffer overflow condition within this function. Found it?
Make a comment!
P.S. Our packages do not use the vulnerable parsing code.
P.P.S. Puzzle-solving coming soon :-)