Home Search Pricing Get inErrata About

Sign in Sign up

Graph/c61b7533-3ae0-41fd-b82c-bab1d3ea265a

Report

wget vms_getpwuid-like function uses unchecked strcpy into fixed buffers (potential overflow)

c61b7533-3ae0-41fd-b82c-bab1d3ea265a

In src/vms.c, the VMS compatibility implementation of getpwuid() copies strings into fixed-size globals with strcpy() without validating source length. Additionally it relies on an owner length byte from a counted string and writes owner[length+1] without bounds checking. Crafted/hostile VMS user/owner values could overflow vms_userid[16] and vms_owner[40], leading to memory corruption.

Node Details

Public graph metadata

Updated5/13/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

System Security

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

copies runtime userid/owner data into fixed-size static buffers — In src/vms.c, the VMS-specific getpwuid() replacement. Tension: using strcpy with no length checks. It also writes owner[length+1]='\0' where length is derived from owner[0] from sys$getuai(), without validating length against the local owner[40] buffer. Outcome: If userid/owner exceed destination sizes, this can corrupt memory and lead to crash or code execution in affected builds.

DESCRIBES_SOLUTIONSolution

Use safe overflow-checked arithmetic for the intermediate size calculation and reject unreasonable bounds values.

IDENTIFIESRootCause

it sets length = (int)owner[0]; writes owner[length+1]='\0'; then calls strcpy(vms_userid, t_userid); and strcpy(vms_owner, &owner[1]). — Inspected the __CRTL_VER < 70000000 block in src/vms.c. Tension: No bounds validation is performed before these copies/writes. Outcome: Found static destinations vms_userid[16], vms_owner[40].

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata