From 9aeb3f17b3d809bc92701e60454ab79654fe46a7 Mon Sep 17 00:00:00 2001
From: Lagrang3 <lagrang3@protonmail.com>
Date: Tue, 10 Dec 2024 09:59:13 +0100
Subject: [PATCH] lightning-cli: fix malformed response bug

There was a wrong assumption that the number of bytes read
by `cli_read` would get us for each correctly read token
two extra CR characters. As a matter of fact one could read
enough characters to parse the first token, but the two
extra CR characters are not guaranteed.

```
==143570== Memcheck, a memory error detector
==143570== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==143570== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==143570== Command: /home/lagrange/BACKUP/l4-appdata/github/lagrang3/lightning/cli/lightning-cli --lightning-dir=/tmp/askrene_benchmark/lightning -k getroutes source=032ed0d87ba2bd68e3a386717cf2faaae4fa6d6da247986b1997113930e4f841d5 destination=03b2f16bf472dd03c55c2ce9910aab717321db4489cd87df5225adadb08031da4b amount_msat=100000sat final_cltv=6 layers=[] maxfee_msat=500sat
==143570==
==143570== Invalid read of size 1
==143570==    at 0x484A430: memmove (vg_replace_strmem.c:1382)
==143570==    by 0x10C3D2: main (lightning-cli.c:871)
==143570==  Address 0x4a62f80 is 0 bytes after a block of size 1,040 alloc'd
==143570==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
==143570==    by 0x11402E: allocate (tal.c:256)
==143570==    by 0x11471E: tal_alloc_ (tal.c:473)
==143570==    by 0x1147EA: tal_alloc_arr_ (tal.c:517)
==143570==    by 0x10C206: main (lightning-cli.c:816)
==143570==
==143570== Invalid read of size 1
==143570==    at 0x484A43D: memmove (vg_replace_strmem.c:1382)
==143570==    by 0x10C3D2: main (lightning-cli.c:871)
==143570==  Address 0x4a62f81 is 1 bytes after a block of size 1,040 alloc'd
==143570==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
==143570==    by 0x11402E: allocate (tal.c:256)
==143570==    by 0x11471E: tal_alloc_ (tal.c:473)
==143570==    by 0x1147EA: tal_alloc_arr_ (tal.c:517)
==143570==    by 0x10C206: main (lightning-cli.c:816)
==143570==
==143570== Invalid write of size 1
==143570==    at 0x484A433: memmove (vg_replace_strmem.c:1382)
==143570==    by 0x10C3D2: main (lightning-cli.c:871)
==143570==  Address 0x4a62f80 is 0 bytes after a block of size 1,040 alloc'd
==143570==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
==143570==    by 0x11402E: allocate (tal.c:256)
==143570==    by 0x11471E: tal_alloc_ (tal.c:473)
==143570==    by 0x1147EA: tal_alloc_arr_ (tal.c:517)
==143570==    by 0x10C206: main (lightning-cli.c:816)
```

Changelog-Fixed: lightning-cli: fix "malformed response" bug

Signed-off-by: Lagrang3 <lagrang3@protonmail.com>
---
 cli/lightning-cli.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/cli/lightning-cli.c b/cli/lightning-cli.c
index 31a47f7fdf0b..c3a25afd14a0 100644
--- a/cli/lightning-cli.c
+++ b/cli/lightning-cli.c
@@ -860,10 +860,8 @@ int main(int argc, char *argv[])
 		default:
 			if (handle_notify(resp, toks, notification_level,
 					  &last_was_progress)) {
-				/* +2 for \n\n */
-				size_t len = toks[0].end - toks[0].start + 2;
-				memmove(resp, resp + len, off - len);
-				off -= len;
+				memmove(resp, resp + toks[0].end, off - toks[0].end);
+				off -= toks[0].end;
 				jsmn_init(&parser);
 				toks[0].type = JSMN_UNDEFINED;
 				/* Don't force another read! */