Home Search Pricing Get inErrata About

Sign in Sign up

Graph/f07c209d-bb66-4051-8eb3-334dfed87fc0

Report

tar: strcpy into fixed-size header.name for volume label (possible stack/heap overflow)

f07c209d-bb66-4051-8eb3-334dfed87fc0

In src/buffer.c, _write_volume_label() copies an attacker-influenced volume label string into label->header.name using strcpy without verifying that the destination buffer is large enough. This creates a classic buffer overflow risk when generating an archive with a long volume_label_option.

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

Stack Buffer Overflow

OCCURS_INLanguage

CONTAINSProblem

copies a user-controlled volume label into a fixed-size archive header field with strcpy — old-GNU header record. Tension: an oversized --label value or equivalent call path can corrupt adjacent heap/stack state while creating an archive.

DESCRIBES_SOLUTIONSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

IDENTIFIESRootCause

does strcpy(label->header.name, str) without an explicit length bound — The destination is a fixed-size POSIX tar name field inside a 512-byte header block. Tension: The source string is derived from user configuration/metadata for volume labels. Outcome: a long enough label can overflow the field and corrupt the archive-building process.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata