oss-sec mailing list archives
CVE id request: dns2tcp
From: Nico Golde <oss-security+ml () ngolde de>
Date: Thu, 4 Sep 2008 00:24:10 +0200
Hi, dns2tcp fixed a buffer overflow in 0.4.1: http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en diff -Nurad dns2tcp-0.4.dfsg/common/dns.c dns2tcp-0.4.1/common/dns.c --- dns2tcp-0.4.dfsg/common/dns.c 2007-07-07 19:18:10.000000000 +0200 +++ dns2tcp-0.4.1/common/dns.c 2008-09-01 14:49:08.000000000 +0200 @@ -114,7 +114,7 @@ void dns_simple_decode(char *input, char *output, int max_len) { - int len; + uint8_t len; char *ptr; int total_len =0; @@ -122,7 +122,7 @@ *output = 0; while (*ptr) { - len = (int) *ptr; + len = (uint8_t) *ptr; total_len +=len; if (total_len > max_len) break; diff -Nurad dns2tcp-0.4.dfsg/server/dns_decode.c dns2tcp-0.4.1/server/dns_decode.c --- dns2tcp-0.4.dfsg/server/dns_decode.c 2007-07-07 19:18:10.000000000 +0200 +++ dns2tcp-0.4.1/server/dns_decode.c 2008-09-01 14:49:08.000000000 +0200 @@ -1,6 +1,6 @@ @@ -79,7 +79,7 @@ { int max_compress_depth = MAX_COMPRESS_DEPTH; int total_len = 0; - int len; + uint8_t len; char *ptr; ptr = input; @@ -87,7 +87,8 @@ while ((max_compress_depth) && (*ptr)) { - len = (int) *ptr; + // Oups ... + len = (uint8_t) *ptr; total_len += len; if ((len & COMPRESS_FLAG_CHAR) == COMPRESS_FLAG_CHAR) { This looks like it is possible to overwrite a buffer by passing a negative length to dns_simple_decode() or dns_decode(). Can I get a CVE id for this please? Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id request: dns2tcp Nico Golde (Sep 03)
- Re: CVE id request: dns2tcp Steven M. Christey (Sep 04)