Skip to content

fix: use bounded strlcpy/snprintf in microtar.c#1118

Open
orbisai0security wants to merge 1 commit into
bibledit:masterfrom
orbisai0security:fix-repo-cloud-fix-microtar-strcpy-buffer-overflow
Open

fix: use bounded strlcpy/snprintf in microtar.c#1118
orbisai0security wants to merge 1 commit into
bibledit:masterfrom
orbisai0security:fix-repo-cloud-fix-microtar-strcpy-buffer-overflow

Conversation

@orbisai0security

Copy link
Copy Markdown
Contributor

Summary

Fix critical severity security issue in microtar/microtar.c.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File microtar/microtar.c:114
Assessment Likely exploitable

Description: The raw_to_header() and header_to_raw() functions use strcpy() without bounds checking to copy tar header fields. A malicious tar file with non-null-terminated name fields can cause strcpy to read beyond buffer boundaries, potentially overflowing destination buffers.

Evidence

Scanner confirmation: multi_agent_ai rule V-001 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a local CLI tool - exploitation requires the attacker to control command-line arguments or input files.

Changes

  • microtar/microtar.c

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Security Invariant

Property: The security boundary is maintained under adversarial input

Regression test
#include <gtest/gtest.h>
#include <string>
#include <vector>
#include <cstring>
#include "microtar/microtar.c"

class SecurityTest : public ::testing::TestWithParam<std::tuple<std::string, std::string>> {};

TEST_P(SecurityTest, TarHeaderCopyDoesNotOverflow) {
    // Invariant: Copying tar header fields must not overflow destination buffers
    auto [name, linkname] = GetParam();
    
    // Create raw header with adversarial data
    mtar_raw_header_t raw_header;
    memset(&raw_header, 0, sizeof(raw_header));
    
    // Copy adversarial strings without null termination
    memcpy(raw_header.name, name.c_str(), std::min(name.size(), sizeof(raw_header.name)));
    memcpy(raw_header.linkname, linkname.c_str(), std::min(linkname.size(), sizeof(raw_header.linkname)));
    
    // Convert to header - this should not overflow
    mtar_header_t header;
    memset(&header, 0, sizeof(header));
    
    // This is the vulnerable function we're testing
    raw_to_header(&raw_header, &header);
    
    // Property: Destination buffers must be null-terminated
    EXPECT_EQ('\0', header.name[sizeof(header.name)-1]) 
        << "name buffer overflow detected";
    EXPECT_EQ('\0', header.linkname[sizeof(header.linkname)-1]) 
        << "linkname buffer overflow detected";
}

INSTANTIATE_TEST_SUITE_P(
    AdversarialInputs,
    SecurityTest,
    ::testing::Values(
        // Exact exploit: non-null-terminated full buffers
        std::make_tuple(std::string(100, 'A'), std::string(100, 'B')),
        // Boundary case: exactly buffer size without null terminator
        std::make_tuple(std::string(99, 'C'), std::string(99, 'D')),
        // Valid input: properly null-terminated within bounds
        std::make_tuple("normal_name.txt", "normal_link.txt")
    )
);

int main(int argc, char **argv) {
    ::testing::InitGoogleTest(&argc, argv);
    return RUN_ALL_TESTS();
}

This test guards against regressions — it's useful independent of the code change above.


Automated security fix by OrbisAI Security

Automated security fix generated by OrbisAI Security
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant