At the end of string s when s[n] == '\0', strchr(delimiters, '\0') returns a non-null value. As a result, this function reads beyond the valid length of s and returns an erroneous length. This patch fixes it.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11473 Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11505 Signed-off-by: Yifeng Sun <[email protected]> --- lib/ofp-parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ofp-parse.c b/lib/ofp-parse.c index a8b5a877c59e..fd008dd80e7d 100644 --- a/lib/ofp-parse.c +++ b/lib/ofp-parse.c @@ -259,7 +259,7 @@ parse_value(const char *s, const char *delimiters) * * strchr(s, '\0') returns s+strlen(s), so this test handles the null * terminator at the end of 's'. */ - while (!strchr(delimiters, s[n])) { + while (s[n] != '\0' && !strchr(delimiters, s[n])) { if (s[n] == '(') { int level = 0; do { -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
