From 10893783fbcee4db76e620c7f2576cdddd0e9ef4 Mon Sep 17 00:00:00 2001
From: Fredrik Thulin <fredrik@thulin.net>
Date: Mon, 23 May 2016 11:33:16 +0200
Subject: cli_clear_line: limit buffer usage to stay within the known size

---
 libcli.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/libcli.c b/libcli.c
index 3e33bd2..cdf895c 100644
--- a/libcli.c
+++ b/libcli.c
@@ -802,23 +802,25 @@ out:
     return k;
 }
 
-static void cli_clear_line(struct cli_def *cli, struct cli_loop_ctx *ctx, char *cmd, int l, int cursor)
+static void cli_clear_line(struct cli_def *cli, struct cli_loop_ctx *ctx)
 {
     int i;
-    if (cursor < l)
+    if (ctx->cursor < ctx->l)
     {
-        for (i = 0; i < (l - cursor); i++)
+        for (i = 0; i < (ctx->l - ctx->cursor); i++)
 	  _write(cli, ctx, " ", 1);
     }
-    for (i = 0; i < l; i++)
-        cmd[i] = '\b';
-    for (; i < l * 2; i++)
-        cmd[i] = ' ';
-    for (; i < l * 3; i++)
-        cmd[i] = '\b';
-    _write(cli, ctx, cmd, i);
-    memset((char *)cmd, 0, i);
-    l = cursor = 0;
+    for (i = 0; i < ctx->l; i++)
+        ctx->cmd[i] = '\b';
+    _write(cli, ctx, ctx->cmd, i);
+    for (i = 0; i < ctx->l; i++)
+        ctx->cmd[i] = ' ';
+    _write(cli, ctx, ctx->cmd, i);
+    for (i = 0; i < ctx->l; i++)
+        ctx->cmd[i] = '\b';
+    _write(cli, ctx, ctx->cmd, i);
+    memset(ctx->cmd, 0, i);
+    ctx->l = ctx->cursor = 0;
 }
 
 void cli_reprompt(struct cli_def *cli)
@@ -1270,7 +1272,7 @@ int cli_loop_process_char(struct cli_def *cli, struct cli_loop_ctx *ctx, unsigne
 	if (cli->state == CLI_STATE_PASSWORD || cli->state == CLI_STATE_ENABLE_PASSWORD)
 	    memset(ctx->cmd, 0, ctx->l);
 	else
-	    cli_clear_line(cli, ctx, ctx->cmd, ctx->l, ctx->cursor);
+	    cli_clear_line(cli, ctx);
 
 	ctx->l = ctx->cursor = 0;
 	return CLI_LOOP_CTRL_CONTINUE;
@@ -1315,7 +1317,7 @@ int cli_loop_process_char(struct cli_def *cli, struct cli_loop_ctx *ctx, unsigne
     {
 	if (cli->mode != MODE_EXEC)
 	{
-	    cli_clear_line(cli, ctx, ctx->cmd, ctx->l, ctx->cursor);
+	    cli_clear_line(cli, ctx);
 	    cli_set_configmode(cli, MODE_EXEC, NULL);
 	    cli->showprompt = 1;
 	}
@@ -1431,7 +1433,7 @@ int cli_loop_process_char(struct cli_def *cli, struct cli_loop_ctx *ctx, unsigne
 	if (history_found && cli->history[ctx->in_history])
 	{
 	    // Show history item
-	    cli_clear_line(cli, ctx, ctx->cmd, ctx->l, ctx->cursor);
+	    cli_clear_line(cli, ctx);
 	    memset(ctx->cmd, 0, CLI_MAX_LINE_LENGTH);
 	    strncpy(ctx->cmd, cli->history[ctx->in_history], CLI_MAX_LINE_LENGTH - 1);
 	    /* cryptech: not sure if needed, but ensure we don't disclose memory after buf */
-- 
cgit v1.2.3