From 17afb298d90c5aafed76bd3855a5fe7dcd58594c Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 1 Dec 2016 02:48:09 +0000
Subject: [PATCH] SECURITY: adns: Do not corrupt pointer when nameserver speaks
 first

Wrong number of pointer dereferences.

This bug may well be exploitable as a remote code execution.

Found by AFL 2.35b.  CVE-2017-9105.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 src/event.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/event.c b/src/event.c
index dcc49e9..b36288d 100644
--- a/src/event.c
+++ b/src/event.c
@@ -461,7 +461,7 @@ int adns_processwriteable(adns_state ads, int fd, const struct timeval *now) {
       }
       assert(FD_ISSET(ads->tcpsocket,&writeable));
       if (!adns__vbuf_ensure(&ads->tcprecv,1)) { r= ENOMEM; goto xit; }
-      r= read(ads->tcpsocket,&ads->tcprecv.buf,1);
+      r= read(ads->tcpsocket,ads->tcprecv.buf,1);
       if (r==0 || (r<0 && (errno==EAGAIN || errno==EWOULDBLOCK))) {
 	tcp_connected(ads,*now);
 	r= 0; goto xit;
-- 
2.30.2