utils: fix makeargs stack overflow

The makeargs() function did not handle end of string correctly
and would reference past end of string.

Found by fuzzing with ASAN.

Reported-by:Bug Basher <iamliketohack@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

diff --git a/lib/utils.c b/lib/utils.c
index 7ced8c061cb092474b2ba46b8298cb44c883c985..df1f3b1238c029a073534c43690b72b53d9e95d2 100644 (file)
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -1206,10 +1206,16 @@ ssize_t getcmdline(char **linep, size_t *lenp, FILE *in)
 int makeargs(char *line, char *argv[], int maxargs)
 {
        static const char ws[] = " \t\r\n";
-       char *cp;
+       char *cp = line;
        int argc = 0;
 
-       for (cp = line + strspn(line, ws); *cp; cp += strspn(cp, ws)) {
+       while (*cp) {
+               /* skip leading whitespace */
+               cp += strspn(cp, ws);
+
+               if (*cp == '\0')
+                       break;
+
                if (argc >= (maxargs - 1)) {
                        fprintf(stderr, "Too many arguments to command\n");
                        exit(1);
@@ -1226,13 +1232,16 @@ int makeargs(char *line, char *argv[], int maxargs)
                                fprintf(stderr, "Unterminated quoted string\n");
                                exit(1);
                        }
-                       *cp++ = 0;
-                       continue;
+               } else {
+                       argv[argc++] = cp;
+
+                       /* find end of word */
+                       cp += strcspn(cp, ws);
+                       if (*cp == '\0')
+                               break;
                }
 
-               argv[argc++] = cp;
-               /* find end of word */
-               cp += strcspn(cp, ws);
+               /* seperate words */
                *cp++ = 0;
        }
        argv[argc] = NULL;