vtysh: fix potential stack buffer overflow

If vtysh was instructed to perform line-by-line processing on the output
of a command executed against a daemon and this output, as received by
vtysh, was not terminated with a newline, vtysh could print contents of
memory to its output device.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 90c387b48c..ce796140c7 100644
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -149,7 +149,7 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line,
 	bufvalid = buf;
 	do {
 		ssize_t nread =
-			read(vclient->fd, bufvalid, buf + bufsz - bufvalid);
+			read(vclient->fd, bufvalid, buf + bufsz - bufvalid - 1);
 
 		if (nread < 0 && (errno == EINTR || errno == EAGAIN))
 			continue;
@@ -162,6 +162,9 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line,
 
 		bufvalid += nread;
 
+		/* Null terminate so we may pass this to *printf later. */
+		bufvalid[0] = '\0';
+
 		/*
 		 * We expect string output from daemons, so instead of looking
 		 * for the full 3 null bytes of the terminator, we check for
@@ -195,7 +198,7 @@ static int vtysh_client_run(struct vtysh_client *vclient, const char *line,
 			else if (end)
 				/* no nl, end of input, but some text left */
 				eol = end;
-			else if (bufvalid == buf + bufsz) {
+			else if (bufvalid == buf + bufsz - 1) {
 				/*
 				 * no nl, no end of input, no buffer space;
 				 * realloc