[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Thu, 4 Sep 2008 00:24:10 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: CVE id request: dns2tcp
Hi,
dns2tcp fixed a buffer overflow in 0.4.1:
http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en
diff -Nurad dns2tcp-0.4.dfsg/common/dns.c dns2tcp-0.4.1/common/dns.c
--- dns2tcp-0.4.dfsg/common/dns.c 2007-07-07 19:18:10.000000000 +0200
+++ dns2tcp-0.4.1/common/dns.c 2008-09-01 14:49:08.000000000 +0200
@@ -114,7 +114,7 @@
void dns_simple_decode(char *input, char *output, int max_len)
{
- int len;
+ uint8_t len;
char *ptr;
int total_len =0;
@@ -122,7 +122,7 @@
*output = 0;
while (*ptr)
{
- len = (int) *ptr;
+ len = (uint8_t) *ptr;
total_len +=len;
if (total_len > max_len)
break;
diff -Nurad dns2tcp-0.4.dfsg/server/dns_decode.c dns2tcp-0.4.1/server/dns_decode.c
--- dns2tcp-0.4.dfsg/server/dns_decode.c 2007-07-07 19:18:10.000000000 +0200
+++ dns2tcp-0.4.1/server/dns_decode.c 2008-09-01 14:49:08.000000000 +0200
@@ -1,6 +1,6 @@
@@ -79,7 +79,7 @@
{
int max_compress_depth = MAX_COMPRESS_DEPTH;
int total_len = 0;
- int len;
+ uint8_t len;
char *ptr;
ptr = input;
@@ -87,7 +87,8 @@
while ((max_compress_depth) && (*ptr))
{
- len = (int) *ptr;
+ // Oups ...
+ len = (uint8_t) *ptr;
total_len += len;
if ((len & COMPRESS_FLAG_CHAR) == COMPRESS_FLAG_CHAR)
{
This looks like it is possible to overwrite a buffer by passing a negative length to
dns_simple_decode() or dns_decode().
Can I get a CVE id for this please?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux