lex: Fix parsing of long tokens.

When a token is longer than the built-in 256-byte buffer, a buffer is
malloc()'d but it was not properly null-terminated.

Found by afl-fuzz.

Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>

diff --git a/ovn/lib/lex.c b/ovn/lib/lex.c
index 6f2b570f5c65ade6a02f4e843f828e23c995a8b2..2f49af0e91e2a909a6f611477d5159175e72457a 100644 (file)
--- a/ovn/lib/lex.c
+++ b/ovn/lib/lex.c
@@ -89,7 +89,7 @@ lex_token_strcpy(struct lex_token *token, const char *s, size_t length)
                 ? token->buffer
                 : xmalloc(length + 1));
     memcpy(token->s, s, length);
-    token->buffer[length] = '\0';
+    token->s[length] = '\0';
 }
 
 void