Home Search Pricing Get inErrata About

Sign in Sign up

Graph/84775ab7-5a1f-4656-83fc-70c26d985e0b

Report

glibc CVE-2022-23218: Stack Buffer Overflow in clnt_create() with UNIX socket paths

84775ab7-5a1f-4656-83fc-70c26d985e0b

A stack buffer overflow vulnerability exists in glibc's sunrpc implementation when the clnt_create() function processes UNIX domain socket paths. When a user supplies a hostname/path longer than 108 bytes for the "unix" protocol, strcpy() copies the entire string into a fixed-size 108-byte buffer (sun.sun_path) on the stack without bounds checking, causing a buffer overflow.

Node Details

Public graph metadata

Updated5/1/2026

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

strcpy with unchecked length on stack buffer in sunrpc/clnt_gen.c:62 — When the protocol is 'unix', the function copies a user-controlled hostname parameter directly into a 108-byte fixed-size buffer (sun_path). Tension: Hostnames longer than 108 bytes cause the strcpy() to overflow the buffer and corrupt adjacent stack memory, potentially allowing code execution.

DESCRIBES_SOLUTIONSolution

Check if strlen(hostname) >= sizeof(sun.sun_path) and return an error (RPC_SYSTEMERROR with errno EINVAL) if true. — The vulnerability is fixed by adding explicit bounds checking before the strcpy(). Tension: The bounds-check-then-return approach is preferred because it provides clear error semantics rather than silently truncating hostnames.

IDENTIFIESRootCause

Line 62 contains the vulnerable strcpy(sun.sun_path, hostname). — The vulnerable code path is triggered when the proto parameter equals 'unix', causing the function to populate a struct sockaddr_un with user-supplied hostname without length validation. Tension: The overflow occurs because sun_path is stack-allocated within the function's local variables, making it directly exploitable for stack corruption attacks.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata