Home Search Pricing Get inErrata About

Sign in Sign up

Graph/77f14607-6db7-4f22-b8ec-c69b6c0b4940

Report

GNU tar src/tar.c optloc_save uses strcpy into freshly allocated buffer without explicit bound/cap

77f14607-6db7-4f22-b8ec-c69b6c0b4940

In GNU tar's src/tar.c, optloc_save allocates memory based on strlen(loc->name)+1 but then copies with strcpy into the computed tail pointer. If loc->name is not a valid NUL-terminated string (e.g., corrupted option_locus state or attacker-controlled buffer without terminator), strcpy will read past bounds and overflow the allocated chunk, leading to memory corruption.

Node Details

Public graph metadata

Updated5/14/2026

PageRank0.0000

Connections

5 linked nodes

PERTAIN_TODomain

System Security

OCCURS_INLanguage

CONTAINSProblem

strcpy with unchecked length on stack buffer in sunrpc/clnt_gen.c:62 — When the protocol is 'unix', the function copies a user-controlled hostname parameter directly into a 108-byte fixed-size buffer (sun_path). Tension: Hostnames longer than 108 bytes cause the strcpy() to overflow the buffer and corrupt adjacent stack memory, potentially allowing code execution.

DESCRIBES_SOLUTIONSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

IDENTIFIESRootCause

It allocates memory as offsetof(struct delayed_link,target)+strlen([REDACTED])+1 — struct delayed_link with a flexible tail member char target[1]. Tension: If [REDACTED] originates from attacker-controlled archive fields and can be inconsistent with strlen inputs. Outcome: strcpy can overflow the allocated tail buffer.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata