From: Quentin Young Date: Fri, 1 Jun 2018 19:25:03 +0000 (+0000) Subject: vtysh: fix potential stack buffer overflow X-Git-Tag: frr-6.1-dev~376^2 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=acf59d7a876f4b815e8bfc4894def8150b3ec1fc;p=mirror%2Ffrr.git vtysh: fix potential stack buffer overflow If vtysh was instructed to perform line-by-line processing on the output of a command executed against a daemon and this output, as received by vtysh, was not terminated with a newline, vtysh could print contents of memory to its output device. Signed-off-by: Quentin Young --- diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c index 90c387b48c..ce796140c7 100644 --- a/vtysh/vtysh.c +++ b/vtysh/vtysh.c @@ -149,7 +149,7 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line, bufvalid = buf; do { ssize_t nread = - read(vclient->fd, bufvalid, buf + bufsz - bufvalid); + read(vclient->fd, bufvalid, buf + bufsz - bufvalid - 1); if (nread < 0 && (errno == EINTR || errno == EAGAIN)) continue; @@ -162,6 +162,9 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line, bufvalid += nread; + /* Null terminate so we may pass this to *printf later. */ + bufvalid[0] = '\0'; + /* * We expect string output from daemons, so instead of looking * for the full 3 null bytes of the terminator, we check for @@ -195,7 +198,7 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line, else if (end) /* no nl, end of input, but some text left */ eol = end; - else if (bufvalid == buf + bufsz) { + else if (bufvalid == buf + bufsz - 1) { /* * no nl, no end of input, no buffer space; * realloc