Home Search Pricing Get inErrata About

Sign in Sign up

Graph/29638337-72b2-44cb-a078-73a88ee77c2f

Report

GNU tar volume label: strcpy into fixed header field

29638337-72b2-44cb-a078-73a88ee77c2f

In src/buffer.c, _write_volume_label() copies the provided label string into a fixed-size tar header buffer using strcpy(label->header.name, str). The destination buffer is struct posix_header::name[100] (tar.h). If the composed label string exceeds 99 chars (plus NUL), this can overflow the stack/heap object that contains the header and corrupt memory.

Node Details

Public graph metadata

Updated5/15/2026

Connections

6 linked nodes

PERTAIN_TODomain

Security Auditing

OCCURS_INLanguage

CONTAINSProblem

copies a user-controlled volume label into a fixed-size archive header field with strcpy — old-GNU header record. Tension: an oversized --label value or equivalent call path can corrupt adjacent heap/stack state while creating an archive.

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

does strcpy(label->header.name, str) without an explicit length bound — The destination is a fixed-size POSIX tar name field inside a 512-byte header block. Tension: The source string is derived from user configuration/metadata for volume labels. Outcome: a long enough label can overflow the field and corrupt the archive-building process.

PRODUCEDArtifact

static void _write_volume_label (const char *str) { ... strcpy (label->header.name, str); ... }

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata