Bug Crash found in router

[stuartly]

I try to fuzz router and find crashes, the debug info indicated that the crash is caused at config.c:202.

(gdb) r -c FUZZ/afl-output/crashes/id:000000,sig:11,src:000108,op:havoc,rep:2
Starting program: /home/stly/Documents/FuzzTarget/jabberd2/router/router -c FUZZ/afl-output/crashes/id:000000,sig:11,src:000108,op:havoc,rep:2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000042a54c in config_load_with_id (c=, file=,
id=) at config.c:202
202 if(NAD_CDATA_L(bd.nad, i) > 0) {

Furthermore, I check the code of config.c:202. A buffer overflow may happy when copying val to elem->values[elem->nvalues].

elem->values = realloc((void *) elem->values, sizeof(char *) * (elem->nvalues + 1));

    /* and copy it in */
    if(NAD_CDATA_L(bd.nad, i) > 0) {
        // Expand values
        const char *val = _config_expandx(c, NAD_CDATA(bd.nad, i), NAD_CDATA_L(bd.nad, i));

        if (!val) {
            rv = 1;
            break;
        }
        // Make a copy
        elem->values[elem->nvalues] = val;
    } else {
        elem->values[elem->nvalues] = "1";
    }

Attachment is the testcase to trigger the crash, Please check it.
id:000000,sig:11,src:000108,op:havoc,rep:2.tar.gz