cli: fix bash completion and vxlan display bugs

[rjarry]

Fix use-after-free in bash completion mode where bash_complete_node() was taking ownership of the caller's cmdlist node, causing a double free when main() cleans up. Clone the node before passing it to EC_NODE_SEQ.

Also fix a truncation issue in bash completion where gr_strcpy() was cutting one character past the requested length, and fix the VXLAN local VTEP address display to handle IPv6 underlay.

CLI bash completion fixes

Use-after-free in completion node handling: bash_complete_node() now clones the provided cmdlist parameter using ec_node_clone(cmdlist) before passing it to EC_NODE_SEQ(). Previously, the function took ownership of the caller's node, causing a double-free when the main function later cleaned up the same reference. This aligns with the pattern already used in cli/dump.c and cli/interact.c.

Buffer truncation in completion: The bash_complete() function replaced the gr_strcpy(buf, i, comp_line) call with strcpy(buf, comp_line) followed by manual null-termination at buf[i]. The gr_strcpy() function was copying one character past the requested length, corrupting the buffer and breaking next-word completion.

VXLAN display fix

IPv6 underlay support for local VTEP address: The vxlan_show() and vxlan_list_info() functions updated to use address-family-aware formatting macros. Both now use ADDR_F (generic address format "%*p") with ADDR_W(vxlan->local.af) (width parameterized by address family: 4 for IPv4, 6 for IPv6) and pass vxlan->local.addr instead of the previous IPv4-only IP4_F (format "%4p") with vxlan->local. This enables display of both IPv4 and IPv6 local VTEP addresses.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR modifies two independent subsystems. The CLI completion system now clones command nodes before processing them through the lex-expansion pipeline and adjusts how the completion buffer is populated from the input line. The VXLAN module switches from IPv4-specific output formatting to address-family-aware formatting in both the show and list-info display functions, allowing support for multiple address families in local address output.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cli/complete.c`:
- Around line 95-96: Replace the unbounded strcpy call that copies COMP_LINE
into buf (buf, comp_line) with a bounded copy that respects BUFSIZ: compute or
check the length of comp_line and use a size-limited API (e.g., strncpy/strlcpy
or snprintf) to copy at most BUFSIZ-1 bytes and then explicitly null-terminate
buf; ensure the existing truncation logic that sets buf[i] = '\0' still cannot
write out of bounds by using the actual buffer capacity (BUFSIZ) instead of an
unchecked index i. This change should touch the code around the strcpy(buf,
comp_line) site and preserve intended truncation while eliminating the stack
overflow risk from unbounded input.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 74ee11d5-14bb-4bc9-a0fe-147459a93c5f

📥 Commits

Reviewing files that changed from the base of the PR and between 0ab251b and 398dff1.

📒 Files selected for processing (2)

• cli/complete.c
• modules/l2/cli/vxlan.c

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Unbounded strcpy introduces stack overflow risk

Line 95 copies untrusted COMP_LINE into buf[BUFSIZ] without a size check. A long completion line can overflow the stack before Line 96 truncates it.

Suggested fix

-	strcpy(buf, comp_line);
-	buf[i] = '\0';
+	if (i >= sizeof(buf)) {
+		errorf("COMP_POINT exceeds completion buffer");
+		goto end;
+	}
+	memcpy(buf, comp_line, (size_t)i);
+	buf[i] = '\0';

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cli/complete.c` around lines 95 - 96, Replace the unbounded strcpy call that
copies COMP_LINE into buf (buf, comp_line) with a bounded copy that respects
BUFSIZ: compute or check the length of comp_line and use a size-limited API
(e.g., strncpy/strlcpy or snprintf) to copy at most BUFSIZ-1 bytes and then
explicitly null-terminate buf; ensure the existing truncation logic that sets
buf[i] = '\0' still cannot write out of bounds by using the actual buffer
capacity (BUFSIZ) instead of an unchecked index i. This change should touch the
code around the strcpy(buf, comp_line) site and preserve intended truncation
while eliminating the stack overflow risk from unbounded input.