|
Message-ID: <20120721135712.GA15993@openwall.com> Date: Sat, 21 Jul 2012 17:57:12 +0400 From: Solar Designer <solar@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: WPA-PSK valid() Lukas - oh, I see that you added validation of the base-64 encoding and total length in valid(), but there's still no validation of eapol_size. This must be added. Since I am tired of "tracking" this little issue, can you please take care of this (and re-test) within 3 days? Thanks! On Mon, Jul 09, 2012 at 10:57:51AM +0400, Solar Designer wrote: > Lukas - can you implement the valid() enhancements proposed below, then > re-test, please? Thanks. > > On Fri, Jun 29, 2012 at 12:24:47AM +0400, Solar Designer wrote: > > Lukas - > > > > On Fri, Jun 29, 2012 at 12:12:08AM +0400, Solar Designer wrote: > > > The attached patch makes the WPA-PSK format (CPU) work on big-endian > > > > BTW, perhaps eapol_size and keyver should be validated in valid() and in > > hccap2john.c. > > > > Do these come from an external tool? Or even directly from network > > traffic? In the latter case, we might even have a remote arbitrary code > > execution vulnerability here. %-) > > > > Also, is it specified (where?) that these are in little-endian form, or > > does this vary between builds of whatever tool creates the file? > > > > Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.