shared/logs-show: fix mixup between length-based memory duplication and string operations

We'd look for a '=' separator using memchr, i.e. ignoring any nul bytes in the
string, but then do a strndup, which would terminate on any nul byte, and then
again do a memcmp, which would access memory past the chunk allocated by strndup.

Of course, we probably shouldn't allow keys with nul bytes in them. But we
currently do, so there might be journal files like that out there. So let's fix
the journal-reading code first.

2 files changed, 2 insertions, 2 deletions

diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 50326fde5d..124fa838b3 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -839,7 +839,7 @@ static int output_json(
                 if (!eq)
                         continue;
 
-                n = strndup(data, eq - (const char*) data);
+                n = memdup_suffix0(data, eq - (const char*) data);
                 if (!n) {
                         r = log_oom();
                         goto finish;
@@ -891,7 +891,7 @@ static int output_json(
 
                         m = eq - (const char*) data;
 
-                        n = strndup(data, m);
+                        n = memdup_suffix0(data, m);
                         if (!n) {
                                 r = log_oom();
                                 goto finish;
diff --git a/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45 b/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45
new file mode 100644
index 0000000000..535d49ea7a
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-journal-remote/crash-96dee870ea66d03e89ac321eee28ea63a9b9aa45