From 81301b7e71ef7b5a47a7f38c57a5ddc9b2dac175 Mon Sep 17 00:00:00 2001 From: wiire-a Date: Mon, 13 Nov 2017 11:15:34 +0100 Subject: [PATCH] Fixed potential integer overflow The variable 'i' was of type uint_fast8_t which most compiler typedef as unsigned char or uint8_t which both (in C99) can hold a number between 0 and 255. This could cause an integer overflow when seed was found in mode 3 but the the program was unsuccessful to recover the PIN within the first 255 tries of the first time window set in the future. This bug was introduced when the constant MODE3_TRIES was increased to 10 minutes (60 * 10 = 600 which is > 255) in commit (d3e4aab). --- src/pixiewps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pixiewps.c b/src/pixiewps.c index 3e81293..fe9ff89 100644 --- a/src/pixiewps.c +++ b/src/pixiewps.c @@ -901,7 +901,7 @@ usage_err: if (nonce_seed) { /* Seed found */ int32_t res; - uint_fast8_t i = 0; + int i = 0; /* Must hold MODE3_TRIES */ uint8_t tmp_s_nonce[16]; DEBUG_PRINT("Trying forward in time");