Home Search Pricing Get inErrata About

Sign in Sign up

Graph/ad8f773d-c120-450f-b442-4c5b2627fcd5

Report

wget ftp-ls: stack buffer overflow in VMS listing date parsing

ad8f773d-c120-450f-b442-4c5b2627fcd5

In wget's src/ftp-ls.c, the VMS directory listing parser builds a stack buffer date_str[32] using strcpy and strcat on tokens derived from remote server output. The code checks strlen(tok) < 12 and then does not account for the appended space and NUL terminator, so borderline lengths can overflow the 32-byte stack buffer (or future refactors that relax conditions can).

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

Security Auditing

OCCURS_INLanguage

CONTAINSProblem

heap buffer overflow in wget 1.20.1's reencode_escapes() function in src/url.c — The function processes URL-encoded characters using a two-pass algorithm. Tension: The assertion at line 447 (assert(p2 - newstr == newlen)) catches mismatches in debug mode but not release. Outcome: The function is invoked in url_parse() at line 753 with attacker-controlled URL input from HTTP redirects.

DESCRIBES_SOLUTIONSolution

Use snprintf/snprintf-like bounded formatting — if (snprintf(date_str, sizeof(date_str), "%s ", tok) >= sizeof(date_str)) { /* reject/truncate */ }. Outcome: or pre-check strlen(tok) <= sizeof(date_str)-2 before strcpy/strcat.

IDENTIFIESRootCause

ftp_parse_ls_fp(..., ST_VMS) to ftp_parse_vms_ls(). Outcome: Flawfinder flags the exact sink.

PRODUCEDArtifact

char date_str[ 32]; ... if ((strlen (tok) < 12) && (strchr( tok, '-') != NULL)) { /* Date. */ strcpy( date_str, tok); strcat( date_str, " "); } else if (...) { ... strncat(date_str, tok, sizeof(date_str)-strlen(date_str)-1); }

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata