CVE-2026-43623

An attacker can supply a crafted TAR archive containing a non-null-terminated name or linkname field. When the `mtar_open()`, `mtar_find()`, or `mtar_read_header()` functions process this archive, the `strcpy()` function will read past the 100-byte buffer boundary. This can result in writing up to 355 bytes into a 100-byte destination buffer, corrupting adjacent stack memory and potentially enabling arbitrary code execution [ref_id=1].

The vulnerability resides in the `raw_to_header()` function within `src/microtar.c`. Specifically, lines 111-112, which contain `strcpy(h->name, rh->name);` and `strcpy(h->linkname, rh->linkname);`, are responsible for copying data from the raw header to the parsed header structure without proper bounds checking [ref_id=1, ref_id=2, ref_id=3].

The suggested fix replaces the vulnerable `strcpy()` calls with `memcpy()` operations that copy a fixed number of bytes (99 or 100) and then explicitly null-terminate the destination buffer. This prevents `strcpy()` from reading past the end of the source field and writing beyond the bounds of the destination buffer, thus mitigating the stack-based buffer overflow vulnerability [ref_id=1, ref_id=2, ref_id=3].

# Compile with ASAN clang -g -O1 -fsanitize=address,undefined -fno-sanitize=function -I microtar/src -o microtar_asan driver.c microtar/src/microtar.c

# Run with PoC ./microtar_asan linkname_overflow.tar # -> ASAN crash: stack-buffer-overflow