Critical Buffer Overflow in strcpy(): How Unbounded Copies Crash Systems
Severity: š“ Critical | CVE Class: CWE-121 (Stack-based Buffer Overflow) | Fixed In: lib/stdc/str.c
Introduction
Few vulnerabilities in systems programming are as old, as well-understood, and yet as persistently dangerous as the buffer overflow. Despite decades of warnings, compiler flags, and static analysis tools, unbounded string copies continue to appear in production codebases ā sometimes in the most critical places imaginable.
This post covers a recently patched critical severity buffer overflow in a custom strcpy() implementation located in lib/stdc/str.c. What makes this particular finding especially serious isn't just the vulnerability itself ā it's where the vulnerable function lived: at the heart of a system-wide string library used by kernel code, PPP authentication handlers, network packet processors, and archive path construction utilities.
When a single vulnerable function is called everywhere, fixing it everywhere starts with fixing it once, in the right place.
What Is a Buffer Overflow?
A buffer overflow occurs when a program writes more data into a memory buffer than the buffer was allocated to hold. The excess data spills into adjacent memory regions, potentially overwriting:
- Local variables on the stack
- Return addresses (enabling control flow hijacking)
- Saved frame pointers
- Heap metadata (in heap-based variants)
In the context of string operations in C, the classic culprit is strcpy() ā a function that copies bytes from a source string to a destination buffer and stops only when it encounters a null terminator (\0). If the source string is longer than the destination buffer, strcpy() will happily keep writing past the end of the buffer without complaint.
The Vulnerability Explained
Technical Details
The vulnerability resided in lib/stdc/str.c at line 248, in a custom implementation of strcpy(). The function signature looked something like this:
// VULNERABLE: No bounds checking, no size parameter
char *strcpy(char *dest, const char *src) {
char *d = dest;
while ((*d++ = *src++) != '\0')
;
return dest;
}
This is a textbook unbounded copy. The function accepts a destination pointer and a source pointer, but no size parameter. It copies bytes from src to dest until it hits a null terminator ā with absolutely no awareness of how large the destination buffer actually is.
Why This Is Especially Dangerous Here
In most codebases, a vulnerable strcpy() is bad. In this codebase, it was catastrophic in potential scope because this was the system-wide implementation used by:
| Caller | Risk |
|---|---|
PPP authentication handler (auth.c) |
Attacker-controlled authentication strings could overflow stack buffers |
| SAF archive path construction | Malicious archive paths could overwrite adjacent memory |
| Network packet string processing | Remote attackers sending oversized packet payloads could trigger overflow |
Any one of these call sites receiving input longer than its destination buffer would cause a stack or heap overflow.
How Could It Be Exploited?
Consider the PPP authentication handler. When a remote peer sends authentication credentials during a PPP handshake, those credentials are received over the network and passed into string processing routines. If an attacker crafts an authentication packet with an unusually long username or password field, the call to strcpy() would copy that oversized string into a fixed-size stack buffer ā overflowing it.
Here's a simplified attack scenario:
// Somewhere in auth.c (simplified)
void handle_auth(const char *received_username) {
char local_buf[64]; // Fixed-size stack buffer
strcpy(local_buf, received_username); // š„ No bounds check!
// ... process authentication
}
If received_username is 200 bytes long, strcpy() writes 200 bytes into a 64-byte buffer. The extra 136 bytes overwrite whatever sits adjacent in memory ā which on the stack typically means the saved return address.
By carefully crafting the overflow payload, an attacker can:
- Overwrite the return address with an address of their choosing
- Redirect execution to attacker-controlled code (or existing code via ROP chains)
- Achieve remote code execution ā potentially with kernel-level privileges
Real-World Impact
- Remote Code Execution (RCE): Network-facing callers like the PPP handler mean this could be triggered remotely without authentication
- Privilege Escalation: Kernel-mode callers mean successful exploitation could yield ring-0 access
- Denial of Service: Even without a working exploit, a crash from stack corruption takes down the entire system
- Authentication Bypass: Stack corruption in the auth handler could corrupt authentication state variables
The Fix
What Changed
The fix replaces the unbounded strcpy() implementation with a size-aware variant that enforces a maximum copy length. The corrected implementation follows the pattern established by strncpy() and the safer strlcpy() (from BSD):
// FIXED: Bounds-checked implementation
size_t strlcpy(char *dest, const char *src, size_t dest_size) {
size_t src_len = strlen(src);
if (dest_size > 0) {
size_t copy_len = (src_len >= dest_size) ? dest_size - 1 : src_len;
memcpy(dest, src, copy_len);
dest[copy_len] = '\0'; // Always null-terminate
}
return src_len; // Return full source length so callers can detect truncation
}
Key Security Improvements
| Property | Old strcpy() |
Fixed strlcpy() |
|---|---|---|
| Bounds checking | ā None | ā
Enforced via dest_size |
| Null termination | ā ļø Only if src fits | ā Always guaranteed |
| Truncation detection | ā Impossible | ā Via return value |
| Caller awareness | ā No size info | ā Explicit size required |
Why strlcpy() Over strncpy()?
You might wonder: why not just use strncpy()? The answer is subtle but important:
// strncpy() has its own footgun:
strncpy(dest, src, n);
// If src is exactly n bytes, dest is NOT null-terminated!
// This can lead to information disclosure or further memory corruption.
strncpy() does not guarantee null termination when the source fills the entire buffer. strlcpy() always null-terminates the destination (as long as dest_size > 0), and returns the total length of the source string, allowing callers to detect when truncation occurred:
// Caller can now detect truncation:
if (strlcpy(dest, src, sizeof(dest)) >= sizeof(dest)) {
// Truncation occurred ā handle the error!
log_error("String truncated, possible attack attempt");
return -1;
}
Prevention & Best Practices
1. Never Use Unbounded String Functions
Treat these C standard library functions as banned in security-sensitive code:
// ā Banned: unbounded, no size parameter
strcpy(dest, src);
strcat(dest, src);
sprintf(buf, fmt, ...);
gets(buf);
// ā
Safe alternatives
strlcpy(dest, src, sizeof(dest)); // BSD/OpenBSD
strlcat(dest, src, sizeof(dest)); // BSD/OpenBSD
snprintf(buf, sizeof(buf), fmt, ...); // C99+
fgets(buf, sizeof(buf), stdin); // For input
2. Always Pass and Check Buffer Sizes
Any function that writes into a buffer should accept an explicit size parameter:
// ā Bad: caller has no way to enforce limits
void process_username(char *dest, const char *src);
// ā
Good: size is explicit and enforced
void process_username(char *dest, size_t dest_size, const char *src);
3. Enable Compiler Protections
Modern compilers offer multiple layers of protection against buffer overflows:
# Add to your CFLAGS:
CFLAGS += -D_FORTIFY_SOURCE=2 # Runtime buffer overflow detection
CFLAGS += -fstack-protector-strong # Stack canaries
CFLAGS += -fstack-clash-protection # Stack clash protection
CFLAGS += -Wformat -Wformat-security # Format string warnings
LDFLAGS += -Wl,-z,relro,-z,now # Full RELRO (Linux)
4. Use Static Analysis Tools
Several tools can catch unbounded copies before they reach production:
| Tool | Type | Catches |
|---|---|---|
| Clang Static Analyzer | Static | Unbounded copies, use-after-free |
| Coverity | Static | Buffer overflows, memory errors |
| AddressSanitizer (ASan) | Dynamic | Heap/stack overflows at runtime |
| Valgrind | Dynamic | Memory errors, invalid reads/writes |
| CodeQL | Semantic | Data flow analysis, taint tracking |
Running ASan during testing is particularly effective:
# Compile with AddressSanitizer
gcc -fsanitize=address -g -o myprogram myprogram.c
# Any buffer overflow will now cause an immediate, descriptive crash
# instead of silent memory corruption
5. Conduct Threat Modeling for System-Wide Utilities
The scope of this vulnerability was amplified because the vulnerable function was a system-wide primitive. When writing or reviewing foundational utilities (string libraries, memory allocators, logging frameworks), apply heightened scrutiny:
- Who calls this? Map all callers and their trust boundaries
- What input can reach this? Trace data flows from untrusted sources
- What's the blast radius? A bug in a utility called 500 times is 500 bugs
6. Relevant Security Standards
- CWE-121: Stack-based Buffer Overflow
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CERT C Coding Standard: STR31-C ā Guarantee that storage for strings has sufficient space for character data and the null terminator
- OWASP: A03:2021 ā Injection (which encompasses memory corruption in native code)
- MISRA C 2012: Rule 21.6 ā The Standard Library input/output functions shall not be used
Conclusion
This vulnerability is a powerful reminder that foundational code deserves the most scrutiny. A single unsafe strcpy() implementation, tucked away in a string library, became a system-wide attack surface spanning network authentication, file path handling, and packet processing.
The fix is conceptually simple ā add a size parameter, enforce bounds, always null-terminate ā but the impact of getting it right is enormous. By replacing the unbounded copy with a safe strlcpy() pattern, every caller in the codebase inherits the protection automatically.
Key Takeaways
- ā
Never use
strcpy(),strcat(), orgets()in new code ā they have no place in modern C - ā Always pass explicit buffer sizes to functions that write strings
- ā Enable compiler mitigations (stack canaries, FORTIFY_SOURCE, ASan in testing)
- ā Scrutinize system-wide primitives ā bugs there multiply across every caller
- ā Use static analysis as a routine part of your CI/CD pipeline
Memory safety vulnerabilities like this one are preventable. The tools, techniques, and safer APIs exist ā it's a matter of building the habits and processes to use them consistently.
This vulnerability was identified and fixed by automated security scanning. Continuous security scanning helps catch critical issues before they reach production.
References: CWE-121 | CERT STR31-C | OpenBSD strlcpy