examples/client: guard rxBuf indexing against negative stream_read error

[yosuke-wolfssl]

Background
In client_test examples/client/client.c, the non-keepOpen read loop reuses ret for both the byte count and the error code. When wolfSSH_stream_read returns ≤0, ret is overwritten with wolfSSH_get_error(ssh). The do/while continuation only re-tests for WS_WANT_READ/WS_WANT_WRITE, so a WS_CHAN_RXD (-1057) result exits the loop with ret still negative.
The following line then did:

rxBuf[ret] = '\0';   /* rxBuf[-1057] -> OOB write before the 80-byte stack buffer */
printf("Server said: %s\n", rxBuf);  /* prints un-terminated buffer */

This is a stack out-of-bounds write and an uninitialized/un-terminated read.

Changes
Guard the terminator and print so they only run for a valid byte count:

if (ret > 0 && ret < (int)sizeof(rxBuf)) {
    rxBuf[ret] = '\0';
    printf("Server said: %s\n", rxBuf);
}

Addressed by f_4104

[Copilot]

Pull request overview

This PR fixes a potential stack out-of-bounds write (and subsequent unterminated string print) in the examples/client client_test() non-keepOpen read loop when wolfSSH_stream_read() returns an error and ret is overwritten with a negative wolfSSH_get_error() code.

Changes:

• Guard rxBuf[ret] = '\0' so it only executes when ret is a valid positive byte count within the buffer bounds.
• Guard the "Server said: %s" print to avoid reading unterminated/uninitialized data when ret is not a byte count.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1004

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅