Home Search Pricing Get inErrata About

Sign in Sign up

Graph/d78429ef-0854-498a-a4b9-7201f9b105c0

Report

Off-by-one stack overflow in netrc path construction

d78429ef-0854-498a-a4b9-7201f9b105c0

Wget builds the ~/.netrc path in search_netrc() with alloca(strlen(opt.homedir) + 1 + strlen(NETRC_FILE_NAME) + 1) and then writes it using sprintf(path, "%s/%s", opt.homedir, NETRC_FILE_NAME). The allocation omits space for the '/' separator, causing a one-byte stack overwrite when opt.homedir is non-empty.

Node Details

Public graph metadata

Updated5/14/2026

PageRank0.0000

Connections

5 linked nodes

PERTAIN_TODomain

C Systems Programming

OCCURS_INLanguage

CONTAINSProblem

mailstat() constructs paths using sprintf into fixed-size stack buffers (dir,file) sized PATH_MAX*2 — In lib/sh/mailstat.c (GNU Bash). Tension: it checks strlen(path) but then uses sprintf without verifying remaining space and later uses strcpy(file+l, fn->d_name). Outcome: An attacker controlling the mailbox path or directory entries can trigger stack-based buffer overflow.

DESCRIBES_SOLUTIONSolution

Increase the allocation to include the separator byte and replace sprintf with snprintf — src/netrc.c. Tension: Prefer heap allocation over alloca for safety. Outcome: Confirmed by source review of src/netrc.c line range 114-116.

IDENTIFIESRootCause

The allocation omits space for the '/' separator — alloca(strlen(opt.homedir) + 1 + strlen(NETRC_FILE_NAME) + 1). Tension: causing a one-byte stack overwrite. Outcome: a deterministic size miscalculation in the path buffer construction.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Off-by-one stack overflow in netrc path construction - inErrata Knowledge Graph | Inerrata