SECURITY: adnshost: Fix missing-final-newline handling on stdin read

It is wrong to increment used as well as setting r, since used is
incremented according to r, later.  Rather we should be doing what
read() would have done.

Without this fix, adnshost may read and process one byte beyond the
buffer, perhaps crashing or perhaps somehow leaking the value of that
byte.

Found by AFL 2.35b.  CVE-2017-9108.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/client/adh-main.c b/client/adh-main.c
index 9709be225d331ceb1a50c8fce532694516668ae4..31335b70dd11cb22b09691aa89c8f58d8a11e805 100644 (file)
--- a/client/adh-main.c
+++ b/client/adh-main.c
@@ -206,7 +206,7 @@ static void read_stdin(void) {
       if (r == 0) {
        if (used) {
          /* fake up final newline */
-         buf[used++]= '\n';
+         buf[used]= '\n';
          r= 1;
        } else {
          ov_pipe= 0;