From 86814a2c11edd161e6611cf2f7764030eae1d565 Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Tue, 31 May 2016 10:31:27 +0200 Subject: cli_parse_line: fix buffer overflow in word tokenization --- libcli.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) (limited to 'libcli.c') diff --git a/libcli.c b/libcli.c index d97b304..730a8ab 100644 --- a/libcli.c +++ b/libcli.c @@ -512,16 +512,19 @@ static int cli_parse_line(const char *line, char *words[], int max_words) if (!*p || *p == inquote || (word_start && !inquote && (isspace((unsigned char) *p) || *p == '|'))) { if (word_start) - { - int len = p - word_start; + { + int len = p - word_start; - if (len > 1) - { - memcpy(ptr, word_start, len); - words[nwords++] = ptr; - ptr += len + 1; /* buf is memset zero, so we just need to add +1 to get a null terminated word */ - } - } + if (len > 1) + { + if ((ptr + len + 1) > buf + sizeof(buf) - 1) break; + + memcpy(ptr, word_start, len); + words[nwords++] = ptr; + ptr += len; + ptr++; /* NULL terminate through memset above */ + } + } if (!*p) break; @@ -543,9 +546,12 @@ static int cli_parse_line(const char *line, char *words[], int max_words) { if (*p == '|') { + if ((ptr + 1 + 1) > buf + sizeof(buf) - 1) break; + *ptr = '|'; words[nwords++] = ptr; - ptr += 1 + 1; /* buf is memset zero, so we just need to add +1 to get a null terminated word */ + ptr += strlen("|"); + ptr++; /* NULL terminate through memset above */ } else if (!isspace((unsigned char) *p)) word_start = p; -- cgit v1.2.3