From 72c6bfd77dfdb34457a792874fd1c3030fca90ac Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Tue, 6 Dec 2016 12:51:44 +0000
Subject: [PATCH] SECURITY: adnshost: Fix missing-final-newline handling on
 stdin read

It is wrong to increment used as well as setting r, since used is
incremented according to r, later.  Rather we should be doing what
read() would have done.

Without this fix, adnshost may read and process one byte beyond the
buffer, perhaps crashing or perhaps somehow leaking the value of that
byte.

Found by AFL 2.35b.  CVE-2017-9108.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 client/adh-main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/adh-main.c b/client/adh-main.c
index 9709be2..31335b7 100644
--- a/client/adh-main.c
+++ b/client/adh-main.c
@@ -206,7 +206,7 @@ static void read_stdin(void) {
       if (r == 0) {
 	if (used) {
 	  /* fake up final newline */
-	  buf[used++]= '\n';
+	  buf[used]= '\n';
 	  r= 1;
 	} else {
 	  ov_pipe= 0;
-- 
2.30.2