From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Tue, 6 Dec 2016 12:51:44 +0000 (+0000)
Subject: SECURITY: adnshost: Fix missing-final-newline handling on stdin read
X-Git-Tag: adns-1.5.2~23
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=72c6bfd77dfdb34457a792874fd1c3030fca90ac;p=adns.git

SECURITY: adnshost: Fix missing-final-newline handling on stdin read

It is wrong to increment used as well as setting r, since used is
incremented according to r, later.  Rather we should be doing what
read() would have done.

Without this fix, adnshost may read and process one byte beyond the
buffer, perhaps crashing or perhaps somehow leaking the value of that
byte.

Found by AFL 2.35b.  CVE-2017-9108.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/client/adh-main.c b/client/adh-main.c
index 9709be2..31335b7 100644
--- a/client/adh-main.c
+++ b/client/adh-main.c
@@ -206,7 +206,7 @@ static void read_stdin(void) {
       if (r == 0) {
 	if (used) {
 	  /* fake up final newline */
-	  buf[used++]= '\n';
+	  buf[used]= '\n';
 	  r= 1;
 	} else {
 	  ov_pipe= 0;