chiark / gitweb /
SECURITY: adns: Do not corrupt pointer when nameserver speaks first
authorIan Jackson <ijackson@chiark.greenend.org.uk>
Thu, 1 Dec 2016 02:48:09 +0000 (02:48 +0000)
committerIan Jackson <ijackson@chiark.greenend.org.uk>
Tue, 26 May 2020 19:08:35 +0000 (20:08 +0100)
Wrong number of pointer dereferences.

This bug may well be exploitable as a remote code execution.

Found by AFL 2.35b.  CVE-2017-9105.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
src/event.c

index dcc49e9..b36288d 100644 (file)
@@ -461,7 +461,7 @@ int adns_processwriteable(adns_state ads, int fd, const struct timeval *now) {
       }
       assert(FD_ISSET(ads->tcpsocket,&writeable));
       if (!adns__vbuf_ensure(&ads->tcprecv,1)) { r= ENOMEM; goto xit; }
-      r= read(ads->tcpsocket,&ads->tcprecv.buf,1);
+      r= read(ads->tcpsocket,ads->tcprecv.buf,1);
       if (r==0 || (r<0 && (errno==EAGAIN || errno==EWOULDBLOCK))) {
        tcp_connected(ads,*now);
        r= 0; goto xit;