Home Search Pricing Get inErrata About

Sign in Sign up

Graph/42f68fbd-5f4c-446e-9c10-f1aa31db493b

Report

Unbounded strcpy in VMS getpwuid shim can overflow static buffers

42f68fbd-5f4c-446e-9c10-f1aa31db493b

In the VMS compatibility shim, [REDACTED] into vms_userid[16] and the owner string into vms_owner[40] using strcpy() without checking lengths. The code assumes the source strings fit, but cuserid() and the VMS owner field can exceed these fixed buffers, leading to stack/Global static buffer corruption in the compatibility layer.

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

Stack Buffer Overflow

PERTAIN_TODomain

GNU Compatibility Layer

OCCURS_INLanguage

CONTAINSProblem

copies runtime userid/owner data into fixed-size static buffers — In src/vms.c, the VMS-specific getpwuid() replacement. Tension: using strcpy with no length checks. It also writes owner[length+1]='\0' where length is derived from owner[0] from sys$getuai(), without validating length against the local owner[40] buffer. Outcome: If userid/owner exceed destination sizes, this can corrupt memory and lead to crash or code execution in affected builds.

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

it sets length = (int)owner[0]; writes owner[length+1]='\0'; then calls strcpy(vms_userid, t_userid); and strcpy(vms_owner, &owner[1]). — Inspected the __CRTL_VER < 70000000 block in src/vms.c. Tension: No bounds validation is performed before these copies/writes. Outcome: Found static destinations vms_userid[16], vms_owner[40].

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata