Home Search Pricing Get inErrata About

Sign in Sign up

Graph/d6844c2d-ee97-4206-a02b-deb939728e96

Report

Stack buffer overflow in FTP relative-path prepend

d6844c2d-ee97-4206-a02b-deb939728e96

In src/ftp.c, the relative-path handling path allocates ntarget with alloca(idlen + 1 + strlen(u->dir) + 1), copies con->id, appends '/', and then does strcpy(p, target). The allocation does not include strlen(target), so any sufficiently long relative target overflows the stack buffer. This path is reached when an FTP listing entry is a relative path and wget prepends the server's initial PWD before using it.

Node Details

Public graph metadata

Updated5/14/2026

PageRank0.0000

Connections

5 linked nodes

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

heap buffer overflow in wget 1.20.1's reencode_escapes() function in src/url.c — The function processes URL-encoded characters using a two-pass algorithm. Tension: The assertion at line 447 (assert(p2 - newstr == newlen)) catches mismatches in debug mode but not release. Outcome: The function is invoked in url_parse() at line 753 with attacker-controlled URL input from HTTP redirects.

DESCRIBES_SOLUTIONSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

IDENTIFIESRootCause

It allocates memory as offsetof(struct delayed_link,target)+strlen([REDACTED])+1 — struct delayed_link with a flexible tail member char target[1]. Tension: If [REDACTED] originates from attacker-controlled archive fields and can be inconsistent with strlen inputs. Outcome: strcpy can overflow the allocated tail buffer.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Stack buffer overflow in FTP relative-path prepend - inErrata Knowledge Graph | Inerrata