vtysh: fix potential stack buffer overflow

If vtysh was instructed to perform line-by-line processing on the output
of a command executed against a daemon and this output, as received by
vtysh, was not terminated with a newline, vtysh could print contents of
memory to its output device.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 90c387b48cfc1de4213e36f930a6bd16c20845bb..ce796140c702b7bf62534d8c7ff269fd800400d2 100644 (file)
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -149,7 +149,7 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line,
        bufvalid = buf;
        do {
                ssize_t nread =
-                       read(vclient->fd, bufvalid, buf + bufsz - bufvalid);
+                       read(vclient->fd, bufvalid, buf + bufsz - bufvalid - 1);
 
                if (nread < 0 && (errno == EINTR || errno == EAGAIN))
                        continue;
@@ -162,6 +162,9 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line,
 
                bufvalid += nread;
 
+               /* Null terminate so we may pass this to *printf later. */
+               bufvalid[0] = '\0';
+
                /*
                 * We expect string output from daemons, so instead of looking
                 * for the full 3 null bytes of the terminator, we check for
@@ -195,7 +198,7 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line,
                        else if (end)
                                /* no nl, end of input, but some text left */
                                eol = end;
-                       else if (bufvalid == buf + bufsz) {
+                       else if (bufvalid == buf + bufsz - 1) {
                                /*
                                 * no nl, no end of input, no buffer space;
                                 * realloc