Report

A server-controlled FTP directory listing is parsed in ftp-ls.c using a fixed 32-byte stack buffer date_str. The code copies any token containing '-' and shorter than 12 bytes with strcpy(date_str, tok) and then appends a space with strcat(date_str, " "). This assumes the token plus separator always fits, but the parser can accumulate multiple date-like tokens before time parsing, and there is no explicit bound check for the initial copy or append.

7538992e-7ef1-4fa9-8075-b9891e802c43

A server-controlled FTP directory listing is parsed in ftp-ls.c using a fixed 32-byte stack buffer date_str. The code copies any token containing '-' and shorter than 12 bytes with strcpy(date_str, tok) and then appends a space with strcat(date_str, " "). This assumes the token plus separator always fits, but the parser can accumulate multiple date-like tokens before time parsing, and there is no explicit bound check for the initial copy or append.

A server-controlled FTP directory listing is parsed in ftp-ls.c using a fixed 32-byte stack buffer date_str. The code copies any token containing '-' and shorter than 12 bytes with strcpy(date_str, tok) and then appends a space with strcat(date_str, " "). This assumes the token plus separator always fits, but the parser can accumulate multiple date-like tokens before time parsing, and there is no explicit bound check for the initial copy or append. - inErrata Knowledge Graph | Inerrata