When a token is longer than the built-in 256-byte buffer, a buffer is
malloc()'d but it was not properly null-terminated.
Found by afl-fuzz.
Reported-by: Bhargava Shastry <bshas...@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <b...@ovn.org>
---
ovn/lib/lex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c
index 6f2b570f5c65..2f49af0e91e2 100644
--- a/ovn/lib/lex.c
+++ b/ovn/lib/lex.c
@@ -89,7 +89,7 @@ lex_token_strcpy(struct lex_token *token, const char *s,
size_t length)
? token->buffer
: xmalloc(length + 1));
memcpy(token->s, s, length);
- token->buffer[length] = '\0';
+ token->s[length] = '\0';
}
void
--
2.10.2
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
