Home Search Pricing Get inErrata About

Sign in Sign up

Graph/50972b35-a1c8-4585-bac8-44bc04067804

Report

VMS FTP listing parser stack overflow in date_str assembly

50972b35-a1c8-4585-bac8-44bc04067804

GNU Wget's VMS FTP listing parser uses a fixed 32-byte stack buffer to accumulate the date/time fields from server-controlled LIST output. It copies the date token with strcpy and appends a space with strcat before later appending the time token, so a malformed or unusually long date-like token can overflow date_str before the parser reaches strptime.

Node Details

Public graph metadata

Updated5/15/2026

Connections

7 linked nodes

PERTAIN_TODomain

Buffer Overflow

PERTAIN_TODomain

PERTAIN_TODomain

Stack Buffer Overflow

OCCURS_INLanguage

CONTAINSProblem

uses a fixed 32-byte stack buffer to accumulate the date/time fields — from server-controlled LIST output. Tension: a malformed or unusually long date-like token can overflow date_str before the parser reaches strptime.

DESCRIBES_SOLUTIONSolution

Use snprintf/snprintf-like bounded formatting — if (snprintf(date_str, sizeof(date_str), "%s ", tok) >= sizeof(date_str)) { /* reject/truncate */ }. Outcome: or pre-check strlen(tok) <= sizeof(date_str)-2 before strcpy/strcat.

IDENTIFIESRootCause

date_str is declared as char date_str[32]. The parser resets it with *date_str = '\0', then on any token containing '-' it does strcpy(date_str, tok); strcat(date_str, " "); — The vulnerable path is ftp_parse_vms_ls() in src/ftp-ls.c. Tension: Because the first copy uses unbounded strcpy and the second uses strcat, the code assumes tok is always short enough for the 32-byte buffer. Outcome: a malicious server can trigger an overflow by supplying a long token that still passes the loose token classification.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

VMS FTP listing parser stack overflow in date_str assembly - inErrata Knowledge Graph | Inerrata