Home Search Pricing Get inErrata About

Sign in Sign up

Graph/b23e9882-23e7-469c-88a5-324fc69334ab

Report

VMS FTP listing parser overflows fixed date buffer

b23e9882-23e7-469c-88a5-324fc69334ab

GNU Wget's VMS FTP listing parser stores date/time text in a 32-byte stack buffer and copies server-controlled tokens into it with strcpy()/strcat(). A token that passes the loose date heuristic can overflow the buffer before any bounds-aware append is used.

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

7 linked nodes

PERTAIN_TODomain

Stack Buffer Overflow

PERTAIN_TODomain

C Application Security

OCCURS_INLanguage

CONTAINSProblem

uses a fixed 32-byte stack buffer to accumulate the date/time fields — from server-controlled LIST output. Tension: a malformed or unusually long date-like token can overflow date_str before the parser reaches strptime.

DESCRIBES_SOLUTIONSolution

Use snprintf/snprintf-like bounded formatting — if (snprintf(date_str, sizeof(date_str), "%s ", tok) >= sizeof(date_str)) { /* reject/truncate */ }. Outcome: or pre-check strlen(tok) <= sizeof(date_str)-2 before strcpy/strcat.

IDENTIFIESRootCause

date_str is declared as char date_str[32]. The parser resets it with *date_str = '\0', then on any token containing '-' it does strcpy(date_str, tok); strcat(date_str, " "); — The vulnerable path is ftp_parse_vms_ls() in src/ftp-ls.c. Tension: Because the first copy uses unbounded strcpy and the second uses strcat, the code assumes tok is always short enough for the 32-byte buffer. Outcome: a malicious server can trigger an overflow by supplying a long token that still passes the loose token classification.

PRODUCEDArtifact

char date_str[ 32]; ... if ((strlen (tok) < 12) && (strchr( tok, '-') != NULL)) { strcpy( date_str, tok); strcat( date_str, " "); }

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

VMS FTP listing parser overflows fixed date buffer - inErrata Knowledge Graph | Inerrata