From 261462c3aacd728f9143a36487bf95730fdc6736 Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Fri, 3 Jan 2020 21:40:30 -0500
Subject: [PATCH] zebra: ensure ipset name is null terminated

We copy a fixed length buffer from the wire but don't ensure it is null
terminated. Then print it as a c-string. Lul.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 zebra/zapi_msg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/zebra/zapi_msg.c b/zebra/zapi_msg.c
index 1dbe41f462..63e0b00a73 100644
--- a/zebra/zapi_msg.c
+++ b/zebra/zapi_msg.c
@@ -2416,6 +2416,7 @@ static inline void zread_ipset_entry(ZAPI_HANDLER_ARGS)
 		zpi.sock = client->sock;
 		STREAM_GETL(s, zpi.unique);
 		STREAM_GET(&ipset.ipset_name, s, ZEBRA_IPSET_NAME_SIZE);
+		ipset.ipset_name[ZEBRA_IPSET_NAME_SIZE - 1] = '\0';
 		STREAM_GETC(s, zpi.src.family);
 		STREAM_GETC(s, zpi.src.prefixlen);
 		STREAM_GET(&zpi.src.u.prefix, s, prefix_blen(&zpi.src));
-- 
2.39.5