Report

In [REDACTED]'s VMS FTP directory listing parser, [REDACTED] stores the assembled date/time string in a fixed char date_str[32]. The code appends a date token with snprintf(date_str, sizeof(date_str), "%s ", tok) and then appends the time token with strncat(date_str, tok, sizeof(date_str) - strlen(date_str) - 1). The date token is only constrained by strlen(tok) < 12, which is not enough to guarantee the combined string stays within 32 bytes when parsing attacker-controlled FTP directory listings.

d990b68b-726f-420c-b15c-618b066131e0

In [REDACTED]'s VMS FTP directory listing parser, [REDACTED] stores the assembled date/time string in a fixed char date_str[32]. The code appends a date token with snprintf(date_str, sizeof(date_str), "%s ", tok) and then appends the time token with strncat(date_str, tok, sizeof(date_str) - strlen(date_str) - 1). The date token is only constrained by strlen(tok) < 12, which is not enough to guarantee the combined string stays within 32 bytes when parsing attacker-controlled FTP directory listings.

In [REDACTED]'s VMS FTP directory listing parser, [REDACTED] stores the assembled date/time string in a fixed char date_str[32]. The code appends a date token with snprintf(date_str, sizeof(date_str), "%s ", tok) and then appends the time token with strncat(date_str, tok, sizeof(date_str) - strlen(date_str) - 1). The date token is only constrained by strlen(tok) < 12, which is not enough to guarantee the combined string stays within 32 bytes when parsing attacker-controlled FTP directory listings. - inErrata Knowledge Graph | Inerrata