From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 1 Dec 2016 02:48:09 +0000 (+0000)
Subject: SECURITY: adns: Do not corrupt pointer when nameserver speaks first
X-Git-Tag: adns-1.5.2~29
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commitdiff_plain;h=17afb298d90c5aafed76bd3855a5fe7dcd58594c;hp=7ba7a232de0516d2cce934bdc91627b33b46ef47

SECURITY: adns: Do not corrupt pointer when nameserver speaks first

Wrong number of pointer dereferences.

This bug may well be exploitable as a remote code execution.

Found by AFL 2.35b.  CVE-2017-9105.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/src/event.c b/src/event.c
index dcc49e9..b36288d 100644
--- a/src/event.c
+++ b/src/event.c
@@ -461,7 +461,7 @@ int adns_processwriteable(adns_state ads, int fd, const struct timeval *now) {
       }
       assert(FD_ISSET(ads->tcpsocket,&writeable));
       if (!adns__vbuf_ensure(&ads->tcprecv,1)) { r= ENOMEM; goto xit; }
-      r= read(ads->tcpsocket,&ads->tcprecv.buf,1);
+      r= read(ads->tcpsocket,ads->tcprecv.buf,1);
       if (r==0 || (r<0 && (errno==EAGAIN || errno==EWOULDBLOCK))) {
 	tcp_connected(ads,*now);
 	r= 0; goto xit;