From 8a40297308e887eaf8ee7ba9530123343413f75b Mon Sep 17 00:00:00 2001
From: Zdenek Styblik <zdenek.styblik@gmail.com>
Date: Tue, 16 Jul 2013 04:12:09 +0000
Subject: [PATCH] ID: 257 ipmitool exec segfaults if invalid input given

Commit mitigates segfault in 'exec'/ipmishell when
invalid input is given. Code expects another _'_ or _"_ to come, but
if it doesn't, it ends up r/w unallocated memory.
---
 ipmitool/src/ipmishell.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipmitool/src/ipmishell.c b/ipmitool/src/ipmishell.c
index e1ec1f6..73257b8 100644
--- a/ipmitool/src/ipmishell.c
+++ b/ipmitool/src/ipmishell.c
@@ -146,7 +146,7 @@ int ipmi_shell_main(struct ipmi_intf * intf, int argc, char ** argv)
 		while (*ptr != '\0') {
 			if (*ptr == '"') {
 				ptr++;
-				while (*ptr != '"') {
+				while (*ptr != '"' && *ptr != '\0') {
 					if (isspace((int)*ptr))
 						*ptr = '~';
 					ptr++;
@@ -154,7 +154,7 @@ int ipmi_shell_main(struct ipmi_intf * intf, int argc, char ** argv)
 			}
 			if (*ptr == '\'') {
 				ptr++;
-				while (*ptr != '\'') {
+				while (*ptr != '\'' && *ptr != '\0') {
 					if (isspace((int)*ptr))
 						*ptr = '~';
 					ptr++;
@@ -174,7 +174,7 @@ int ipmi_shell_main(struct ipmi_intf * intf, int argc, char ** argv)
 			ptr = *ap;
 			if (*ptr == '\'') {
 				memmove(ptr, ptr+1, strlen(ptr));
-				while (*ptr != '\'') {
+				while (*ptr != '\'' && *ptr != '\0') {
 					if (*ptr == '~')
 						*ptr = ' ';
 					ptr++;
@@ -183,7 +183,7 @@ int ipmi_shell_main(struct ipmi_intf * intf, int argc, char ** argv)
 			}
 			if (*ptr == '"') {
 				memmove(ptr, ptr+1, strlen(ptr));
-				while (*ptr != '"') {
+				while (*ptr != '"' && *ptr != '\0') {
 					if (*ptr == '~')
 						*ptr = ' ';
 					ptr++;
@@ -366,7 +366,7 @@ int ipmi_exec_main(struct ipmi_intf * intf, int argc, char ** argv)
 		while (*ptr != '\0') {
 			if (*ptr == '"') {
 				ptr++;
-				while (*ptr != '"') {
+				while (*ptr != '"' && *ptr != '\0') {
 					if (isspace((int)*ptr))
 						*ptr = '~';
 					ptr++;
@@ -374,7 +374,7 @@ int ipmi_exec_main(struct ipmi_intf * intf, int argc, char ** argv)
 			}
 			if (*ptr == '\'') {
 				ptr++;
-				while (*ptr != '\'') {
+				while (*ptr != '\'' && *ptr != '\0') {
 					if (isspace((int)*ptr))
 						*ptr = '~';
 					ptr++;
@@ -405,7 +405,7 @@ int ipmi_exec_main(struct ipmi_intf * intf, int argc, char ** argv)
 				tmp = __argv[__argc-1];
 				if (*tmp == '\'') {
 					memmove(tmp, tmp+1, strlen(tmp));
-					while (*tmp != '\'') {
+					while (*tmp != '\'' && *tmp != '\0') {
 						if (*tmp == '~')
 							*tmp = ' ';
 						tmp++;
@@ -414,7 +414,7 @@ int ipmi_exec_main(struct ipmi_intf * intf, int argc, char ** argv)
 				}
 				if (*tmp == '"') {
 					memmove(tmp, tmp+1, strlen(tmp));
-					while (*tmp != '"') {
+					while (*tmp != '"' && *tmp != '\0') {
 						if (*tmp == '~')
 							*tmp = ' ';
 						tmp++;