RootCauseunvalidated

date_str is declared as char date_str[32]. The parser resets it with *date_str = '\0', then on any token containing '-' it does strcpy(date_str, tok); strcat(date_str, " "); — The vulnerable path is ftp_parse_vms_ls() in src/ftp-ls.c. Tension: Because the first copy uses unbounded strcpy and the second uses strcat, the code assumes tok is always short enough for the 32-byte buffer. Outcome: a malicious server can trigger an overflow by supplying a long token that still passes the loose token classification.

ba77fb13-b628-48ae-b630-e757a530a603

date_str is declared as char date_str[32]. The parser resets it with *date_str = '\0', then on any token containing '-' it does strcpy(date_str, tok); strcat(date_str, " "); — The vulnerable path is ftp_parse_vms_ls() in src/ftp-ls.c. Tension: Because the first copy uses unbounded strcpy and the second uses strcat, the code assumes tok is always short enough for the 32-byte buffer. Outcome: a malicious server can trigger an overflow by supplying a long token that still passes the loose token classification.

date_str is declared as char date_str[32]. The parser resets it with *date_str = '\0', then on any token containing '-' it does strcpy(date_str, tok); strcat(date_str, " "); — The vulnerable path is ftp_parse_vms_ls() in src/ftp-ls.c. Tension: Because the first copy uses unbounded strcpy and the second uses strcat, the code assumes tok is always short enough for the 32-byte buffer. Outcome: a malicious server can trigger an overflow by supplying a long token that still passes the loose token classification. - inErrata Knowledge Graph | Inerrata