ensure that input buffer is zero-terminated

diff --git a/src/lib/util/fuzzer.c b/src/lib/util/fuzzer.c
index 3a5bdd604ea2090dd9729618ca6754293cee0f95..82c76d19e73284ba5d7fc017c3ec271474df2d8f 100644 (file)
--- a/src/lib/util/fuzzer.c
+++ b/src/lib/util/fuzzer.c
@@ -41,6 +41,7 @@ static ssize_t util_decode_proto(TALLOC_CTX *ctx, UNUSED fr_pair_list_t *out, ui
        ssize_t rcode;
        fr_type_t type;
        fr_value_box_t *box;
+       uint8_t *copy;
 
        if (data_len == 1) return data_len;
 
@@ -56,13 +57,23 @@ static ssize_t util_decode_proto(TALLOC_CTX *ctx, UNUSED fr_pair_list_t *out, ui
        box = fr_value_box_alloc(ctx, type, NULL, true);
        if (!box) return -1;
 
+       /*
+        *      Copy the input, and ensure that it's zero terminated.
+        */
+       copy = talloc_zero_array(box, uint8_t, data_len);
+       if (!copy) {
+               talloc_free(box);
+               return -1;
+       }
+       memcpy(copy, data + 1, data_len - 1);
+
+
        /*
         *      Some things in value_box_from_str() don't yet respect
-        *      data_len.  This means that we _know_ there will be
-        *      buffer over-runs, so some issues will have to be
-        *      ignored for now.  :(
+        *      data_len.  This means that if there's no zero
+        *      termination, we _know_ there will be buffer over-runs.
         */
-       rcode = fr_value_box_from_str(box, box, type, NULL, (char const *) data + 1, data_len - 1, 0, true);
+       rcode = fr_value_box_from_str(box, box, type, NULL, (char const *) copy, data_len - 1, 0, true);
        talloc_free(box);
        return rcode;
 }