cli_parse_line: fix buffer overflow in word tokenization

1 files changed, 16 insertions, 10 deletions

diff --git a/libcli.c b/libcli.c
index d97b304..730a8ab 100644
--- a/libcli.c
+++ b/libcli.c
@@ -512,16 +512,19 @@ static int cli_parse_line(const char *line, char *words[], int max_words)
       if (!*p || *p == inquote || (word_start && !inquote && (isspace((unsigned char) *p) || *p == '|')))
         {
             if (word_start)
-            {
-                int len = p - word_start;
+              {
+                  int len = p - word_start;
 
-		if (len > 1)
-		{
-		    memcpy(ptr, word_start, len);
-		    words[nwords++] = ptr;
-		    ptr += len + 1;  /* buf is memset zero, so we just need to add +1 to get a null terminated word */
-		}
-            }
+		  if (len > 1)
+		    {
+		      if ((ptr + len + 1) > buf + sizeof(buf) - 1) break;
+
+		      memcpy(ptr, word_start, len);
+		      words[nwords++] = ptr;
+		      ptr += len;
+		      ptr++; /* NULL terminate through memset above */
+		    }
+              }
 
             if (!*p)
                 break;
@@ -543,9 +546,12 @@ static int cli_parse_line(const char *line, char *words[], int max_words)
             {
                 if (*p == '|')
                 {
+		    if ((ptr + 1 + 1) > buf + sizeof(buf) - 1) break;
+
 		    *ptr = '|';
 		    words[nwords++] = ptr;
-		    ptr += 1 + 1; /* buf is memset zero, so we just need to add +1 to get a null terminated word */
+		    ptr += strlen("|");
+		    ptr++; /* NULL terminate through memset above */
                 }
                 else if (!isspace((unsigned char) *p))
                     word_start = p;