chiark / gitweb /
SECURITY: adnshost: Fix missing-final-newline handling on stdin read
authorIan Jackson <ijackson@chiark.greenend.org.uk>
Tue, 6 Dec 2016 12:51:44 +0000 (12:51 +0000)
committerIan Jackson <ijackson@chiark.greenend.org.uk>
Tue, 26 May 2020 19:11:54 +0000 (20:11 +0100)
It is wrong to increment used as well as setting r, since used is
incremented according to r, later.  Rather we should be doing what
read() would have done.

Without this fix, adnshost may read and process one byte beyond the
buffer, perhaps crashing or perhaps somehow leaking the value of that
byte.

Found by AFL 2.35b.  CVE-2017-9108.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
client/adh-main.c

index 9709be2..31335b7 100644 (file)
@@ -206,7 +206,7 @@ static void read_stdin(void) {
       if (r == 0) {
        if (used) {
          /* fake up final newline */
-         buf[used++]= '\n';
+         buf[used]= '\n';
          r= 1;
        } else {
          ov_pipe= 0;