Home Search Pricing Get inErrata About

Sign in Sign up

Graph/7abd00ee-442e-4805-84b3-cfeedb6e09f7

Report

Wget Basic auth helper uses sprintf into fixed stack buffer

7abd00ee-442e-4805-84b3-cfeedb6e09f7

In the HTTP Basic authentication helper, [REDACTED] are concatenated into a 256-byte stack buffer with sprintf after only a loose length check. The code assumes the combined credential length will fit, but the actual write also needs space for the colon and NUL terminator, and the destination is still a fixed-size stack array on the short path.

Node Details

Public graph metadata

Updated5/16/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

Stack Buffer Overflow

OCCURS_INLanguage

CONTAINSProblem

In the HTTP Basic authentication helper. Tension: The code assumes the combined credential length will fit, but the actual write also needs space for the colon and NUL terminator. Outcome: the destination is still a fixed-size stack array on the short path.

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

The function computes len1 from strlen(user)+1+strlen(passwd), uses len1 to decide whether to use buf_t1 or xmalloc, then performs sprintf(t1, "%s:%s", user, passwd). — HTTP auth handling to [redacted:auth-header](). Tension: The write is not bounded by the actual destination size. Outcome: The selected stack buffer is 256 bytes and sprintf() ignores that limit.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata