app/test: fix buffer overflow

A bug has been detected by valgrind:

Invalid write of size 1
   by 0x86ECC76: sprintf (in /usr/lib/libc-2.23.so)
   by 0x430B0A: commands_init (in build/app/test)
   by 0x42F215: main (in build/app/test)
 Address 0x9d72ff2 is 0 bytes after a block of size 1,346 alloc'd
   at 0x78C1BD0: malloc (in vgpreload_memcheck-amd64-linux.so)
   by 0x430AE4: commands_init (in build/app/test)
   by 0x42F215: main (in build/app/test)

The commands buffer is exactly 1346 B long so there is an access just
after the buffer. The sprintf always writes '\0' at the end of the string.
The '#' separator adds 1 B more to each string. This is correct until the
last string is sprinted there. The last one is 1 B longer then expected,
i.e.:
      strlen(t->command) + strlen("#") + ONE_FOR_ZERO

Fixes: 727909c59231 ("app/test: introduce dynamic commands list")

Signed-off-by: Jan Viktorin <viktorin@rehivetech.com>
Acked-by: David Marchand <david.marchand@6wind.com>

diff --git a/app/test/commands.c b/app/test/commands.c
index 9cb9606..e0af8e4 100644 (file)
--- a/app/test/commands.c
+++ b/app/test/commands.c
@@ -439,7 +439,7 @@ int commands_init(void)
                commands_len += strlen(t->command) + 1;
        }
 
-       commands = malloc(commands_len);
+       commands = malloc(commands_len + 1);
        if (!commands)
                return -1;