CVE-2018-6758

An attacker can supply an overly long directory path (with `dir_len` greater than `PATH_MAX`) to a uWSGI endpoint that calls `uwsgi_expand_path`. The unchecked `memcpy` overflows the stack buffer `src`, potentially corrupting adjacent memory. This can be triggered remotely if the application exposes a path-handling interface that passes attacker-controlled input to the vulnerable function. [patch_id=6629717]

The vulnerability is in the `uwsgi_expand_path` function in `core/utils.c`. The function copies a caller-supplied directory length (`dir_len`) into a fixed-size stack buffer `src[PATH_MAX+1]` via `memcpy` without checking whether `dir_len` exceeds `PATH_MAX`, leading to a stack-based buffer overflow.

The patch adds an early check: if `dir_len > PATH_MAX`, the function logs an error and returns NULL, preventing the overflow. It also replaces the fixed-size stack buffer `src[PATH_MAX+1]` with a heap-allocated string via `uwsgi_concat2n`, and frees that allocation in both the error and success paths. This eliminates the stack corruption and ensures the path length is always validated before use. [patch_id=6629717]