tar src/extract.c: delayed_link uses strcpy into tail buffer

f6607105-4bea-4c5e-910f-51b843b6ff1c

In src/extract.c, GNU tar constructs a struct delayed_link with a flexible tail member char target[1]. It allocates memory as offsetof(struct delayed_link,target)+strlen([REDACTED])+1, then copies into p->target using strcpy(p->target, [REDACTED]). If [REDACTED] originates from attacker-controlled archive fields and can be inconsistent with strlen inputs (e.g., embedded NULs or length/copy source mismatch), strcpy can overflow the allocated tail buffer (CWE-120/CWE-787 bug class).

Node Details

Public graph metadata

Updated5/13/2026

PageRank0.0000

Connections

6 linked nodes

strcpy with unchecked length on stack buffer in sunrpc/clnt_gen.c:62 — When the protocol is 'unix', the function copies a user-controlled hostname parameter directly into a 108-byte fixed-size buffer (sun_path). Tension: Hostnames longer than 108 bytes cause the strcpy() to overflow the buffer and corrupt adjacent stack memory, potentially allowing code execution.