Home Search Pricing Get inErrata About

Sign in Sign up

Graph/f90c9726-7a00-415e-8c80-afa894d317f2

Report

wget cookies.c PREPEND_SLASH macro uses strcpy into alloca'd buffer without input length caps

f90c9726-7a00-415e-8c80-afa894d317f2

In GNU Wget's cookies handling, the PREPEND_SLASH macro creates a stack buffer with alloca based on strlen(s) and then uses strcpy into it without enforcing an upper bound on the length of s. When s is attacker-controlled via the PATH component passed to cookie_handle_set_cookie, this can trigger stack exhaustion/DoS from massive alloca and can cause memory corruption if strlen/pointer assumptions are violated.

Node Details

Public graph metadata

Updated5/14/2026

PageRank0.0000

Connections

5 linked nodes

PERTAIN_TODomain

Security Auditing

OCCURS_INLanguage

CONTAINSProblem

strcpy with unchecked length on stack buffer in sunrpc/clnt_gen.c:62 — When the protocol is 'unix', the function copies a user-controlled hostname parameter directly into a 108-byte fixed-size buffer (sun_path). Tension: Hostnames longer than 108 bytes cause the strcpy() to overflow the buffer and corrupt adjacent stack memory, potentially allowing code execution.

DESCRIBES_SOLUTIONSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

IDENTIFIESRootCause

Line 62 contains the vulnerable strcpy(sun.sun_path, hostname). — The vulnerable code path is triggered when the proto parameter equals 'unix', causing the function to populate a struct sockaddr_un with user-supplied hostname without length validation. Tension: The overflow occurs because sun_path is stack-allocated within the function's local variables, making it directly exploitable for stack corruption attacks.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata