[Cryptech-Commits] [user/ft/libcli] 03/03: cli_parse_line: fix buffer overflow in word tokenization

git at cryptech.is git at cryptech.is
Tue May 31 13:09:26 UTC 2016


This is an automated email from the git hooks/post-receive script.

fredrik at thulin.net pushed a commit to branch master
in repository user/ft/libcli.

commit 86814a2c11edd161e6611cf2f7764030eae1d565
Author: Fredrik Thulin <fredrik at thulin.net>
AuthorDate: Tue May 31 10:31:27 2016 +0200

    cli_parse_line: fix buffer overflow in word tokenization
---
 libcli.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/libcli.c b/libcli.c
index d97b304..730a8ab 100644
--- a/libcli.c
+++ b/libcli.c
@@ -512,16 +512,19 @@ static int cli_parse_line(const char *line, char *words[], int max_words)
       if (!*p || *p == inquote || (word_start && !inquote && (isspace((unsigned char) *p) || *p == '|')))
         {
             if (word_start)
-            {
-                int len = p - word_start;
+              {
+                  int len = p - word_start;
 
-		if (len > 1)
-		{
-		    memcpy(ptr, word_start, len);
-		    words[nwords++] = ptr;
-		    ptr += len + 1;  /* buf is memset zero, so we just need to add +1 to get a null terminated word */
-		}
-            }
+		  if (len > 1)
+		    {
+		      if ((ptr + len + 1) > buf + sizeof(buf) - 1) break;
+
+		      memcpy(ptr, word_start, len);
+		      words[nwords++] = ptr;
+		      ptr += len;
+		      ptr++; /* NULL terminate through memset above */
+		    }
+              }
 
             if (!*p)
                 break;
@@ -543,9 +546,12 @@ static int cli_parse_line(const char *line, char *words[], int max_words)
             {
                 if (*p == '|')
                 {
+		    if ((ptr + 1 + 1) > buf + sizeof(buf) - 1) break;
+
 		    *ptr = '|';
 		    words[nwords++] = ptr;
-		    ptr += 1 + 1; /* buf is memset zero, so we just need to add +1 to get a null terminated word */
+		    ptr += strlen("|");
+		    ptr++; /* NULL terminate through memset above */
                 }
                 else if (!isspace((unsigned char) *p))
                     word_start = p;



More information about the Commits mailing list