Home Search Pricing Get inErrata About

Sign in Sign up

Graph/ad81a513-cf8a-4fb2-807b-83676ae9aad2

Report

wget src/http.c: [redacted:auth-header] stack buffer sizing depends on len1 check

ad81a513-cf8a-4fb2-807b-83676ae9aad2

Refined evidence: src/http.c [redacted:auth-header] computes [REDACTED], chooses buf_t1 when len1<256, then performs [REDACTED]. The exact safety condition for sprintf is sensitive to whether len1 includes/omits the final NUL and the ':' byte, so the existing stack/heap boundary is fragile and can lead to stack-buffer overflow on crafted credentials.

Node Details

Public graph metadata

Updated5/15/2026

Connections

6 linked nodes

PERTAIN_TODomain

Buffer Overflow

PERTAIN_TODomain

Stack Buffer Overflow

OCCURS_INLanguage

CONTAINSProblem

Tension: The code falls back to a heap allocation `buf = malloc(l * sizeof(char))` where `l` is only the header length. Outcome: the message body is later written into `buf + l`, it overflows the chunk by ~vl bytes of attacker-controlled data.

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

ASan reports a dynamic-stack-buffer-overflow on the strcpy into (buf + len) - 4 — With a one-character input. Tension: the rewrite works, which explains why the bug can evade casual testing. Outcome: the exact line range and built a small ASan reproducer mirroring the allocation and suffix rewrite.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata