On Fri, Jan 05, 2018 at 10:20:21AM -0800, Gregory Rose wrote: > On 1/2/2018 11:15 AM, Ben Pfaff wrote: > >When a token is longer than the built-in 256-byte buffer, a buffer is > >malloc()'d but it was not properly null-terminated. > > > >Found by afl-fuzz. > > > >Reported-by: Bhargava Shastry <[email protected]> > >Signed-off-by: Ben Pfaff <[email protected]> > >--- > > ovn/lib/lex.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > >diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c > >index 6f2b570f5c65..2f49af0e91e2 100644 > >--- a/ovn/lib/lex.c > >+++ b/ovn/lib/lex.c > >@@ -89,7 +89,7 @@ lex_token_strcpy(struct lex_token *token, const char *s, > >size_t length) > > ? token->buffer > > : xmalloc(length + 1)); > > memcpy(token->s, s, length); > >- token->buffer[length] = '\0'; > >+ token->s[length] = '\0'; > > } > > void > > Reviewed-by: Greg Rose <[email protected]>
Thanks, applied to master and backported as far as necessary. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
