SECURITY: adns: Do not corrupt pointer when nameserver speaks first

Wrong number of pointer dereferences.

This bug may well be exploitable as a remote code execution.

Found by AFL 2.35b.  CVE-2017-9105.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/src/event.c b/src/event.c
index dcc49e9cc72b0562d0ec42d8ca6dab57e11ede5e..b36288ddfab610e305a4205d659f963bdaabb4d4 100644 (file)
--- a/src/event.c
+++ b/src/event.c
@@ -461,7 +461,7 @@ int adns_processwriteable(adns_state ads, int fd, const struct timeval *now) {
       }
       assert(FD_ISSET(ads->tcpsocket,&writeable));
       if (!adns__vbuf_ensure(&ads->tcprecv,1)) { r= ENOMEM; goto xit; }
-      r= read(ads->tcpsocket,&ads->tcprecv.buf,1);
+      r= read(ads->tcpsocket,ads->tcprecv.buf,1);
       if (r==0 || (r<0 && (errno==EAGAIN || errno==EWOULDBLOCK))) {
        tcp_connected(ads,*now);
        r= 0; goto xit;