When a token is longer than the built-in 256-byte buffer, a buffer is malloc()'d but it was not properly null-terminated.
Found by afl-fuzz. Reported-by: Bhargava Shastry <bshas...@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <b...@ovn.org> --- ovn/lib/lex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c index 6f2b570f5c65..2f49af0e91e2 100644 --- a/ovn/lib/lex.c +++ b/ovn/lib/lex.c @@ -89,7 +89,7 @@ lex_token_strcpy(struct lex_token *token, const char *s, size_t length) ? token->buffer : xmalloc(length + 1)); memcpy(token->s, s, length); - token->buffer[length] = '\0'; + token->s[length] = '\0'; } void -- 2.10.2 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev