Skip to content

fix: the argument parsing function copies a command-... in...#207

Open
orbisai0security wants to merge 3 commits into
AcademySoftwareFoundation:mainfrom
orbisai0security:fix-v-001-app-oapv-app-args.h
Open

fix: the argument parsing function copies a command-... in...#207
orbisai0security wants to merge 3 commits into
AcademySoftwareFoundation:mainfrom
orbisai0security:fix-v-001-app-oapv-app-args.h

Conversation

@orbisai0security

Copy link
Copy Markdown

Summary

Fix critical severity security issue in app/oapv_app_args.h.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File app/oapv_app_args.h:127

Description: The argument parsing function copies a command-line argument string directly into a fixed-size destination buffer (ops->val) using strcpy, which performs no length validation. Because the source string (argv) is entirely attacker-controlled and its length is unbounded, an attacker can supply an argument longer than the allocated destination buffer, overflowing it and overwriting adjacent memory including return addresses, function pointers, or heap metadata.

Changes

  • app/oapv_app_args.h

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

The argument parsing function copies a command-line argument string directly into a fixed-size destination buffer (ops->val) using strcpy, which performs no length validation
@kpchoi

kpchoi commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

How about return error in case of too long string input?

@orbisai0security

Copy link
Copy Markdown
Author

How about return error in case of too long string input?

done.

@kpchoi

kpchoi commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

BTW, the function "args_set_variable_by_key_long( )" supports 'non' string value arguments, like;

args_set_variable_by_key_long(opts, "color-range", &vars->color_range);

Have you checked this cases?

…y_key_long

For non-STRING opts (INTEGER, FLAG), sizeof(var) evaluates to sizeof(pointer)
rather than sizeof(int), producing a misleading val_len of 8. Since val_len is
only read in the ARGS_VAL_TYPE_STRING branch of args_read_value(), zero it for
all other types to make the invariant explicit and prevent future misuse.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@orbisai0security

Copy link
Copy Markdown
Author

BTW, the function "args_set_variable_by_key_long( )" supports 'non' string value arguments, like;

args_set_variable_by_key_long(opts, "color-range", &vars->color_range);

Have you checked this cases?

addressed. pls review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants