lex: Fix parsing of long tokens.

When a token is longer than the built-in 256-byte buffer, a buffer is malloc()'d but it was not properly null-terminated. Found by afl-fuzz. Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> Signed-off-by: Ben Pfaff <blp@ovn.org> Reviewed-by: Greg Rose <gvrose8192@gmail.com>
openvswitch · Jan 8, 2018 · 5a58ba3 · 5a58ba3
1 parent 60edd61
commit 5a58ba3
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c
@@ -89,7 +89,7 @@ lex_token_strcpy(struct lex_token *token, const char *s, size_t length)
                 ? token->buffer
                 : xmalloc(length + 1));
     memcpy(token->s, s, length);
-    token->buffer[length] = '\0';
+    token->s[length] = '\0';
 }
 
 void