CVE id request: dns2tcp

[Nico Golde <oss-security+ml () ngolde de>]

Hi,
dns2tcp fixed a buffer overflow in 0.4.1:
http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en

diff -Nurad dns2tcp-0.4.dfsg/common/dns.c dns2tcp-0.4.1/common/dns.c
--- dns2tcp-0.4.dfsg/common/dns.c       2007-07-07 19:18:10.000000000 +0200
+++ dns2tcp-0.4.1/common/dns.c  2008-09-01 14:49:08.000000000 +0200
@@ -114,7 +114,7 @@
 
 void           dns_simple_decode(char *input, char *output, int max_len)
 {
-  int          len;
+  uint8_t      len;
   char         *ptr;
   int          total_len =0;
   
@@ -122,7 +122,7 @@
   *output = 0;
   while (*ptr)
     {
-      len = (int) *ptr;
+      len = (uint8_t) *ptr;
       total_len +=len;
       if (total_len > max_len)
        break;
diff -Nurad dns2tcp-0.4.dfsg/server/dns_decode.c dns2tcp-0.4.1/server/dns_decode.c
--- dns2tcp-0.4.dfsg/server/dns_decode.c        2007-07-07 19:18:10.000000000 +0200
+++ dns2tcp-0.4.1/server/dns_decode.c   2008-09-01 14:49:08.000000000 +0200
@@ -1,6 +1,6 @@
@@ -79,7 +79,7 @@
 {
   int          max_compress_depth = MAX_COMPRESS_DEPTH;
   int          total_len = 0;
-  int          len;
+  uint8_t      len;
   char         *ptr;
 
   ptr = input;
@@ -87,7 +87,8 @@
   
   while ((max_compress_depth) && (*ptr))
     {
-      len = (int) *ptr;
+      // Oups ...
+      len = (uint8_t) *ptr;
       total_len += len;
       if ((len & COMPRESS_FLAG_CHAR) == COMPRESS_FLAG_CHAR)
        {


This looks like it is possible to overwrite a buffer by passing a negative length to
dns_simple_decode() or dns_decode().

Can I get a CVE id for this please?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: