Skip to content

fix: use bounded strlcpy/snprintf in colossus.c#2

Open
orbisai0security wants to merge 2 commits into
stblake:mainfrom
orbisai0security:fix-v-001-strcpy-buffer-overflow
Open

fix: use bounded strlcpy/snprintf in colossus.c#2
orbisai0security wants to merge 2 commits into
stblake:mainfrom
orbisai0security:fix-v-001-strcpy-buffer-overflow

Conversation

@orbisai0security

@orbisai0security orbisai0security commented Jun 21, 2026

Copy link
Copy Markdown

Summary

Fix critical severity security issue in colossus.c.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File colossus.c:311
Assessment Confirmed exploitable

Description: Seven separate strcpy calls in the command-line argument parsing section of colossus.c copy user-supplied argv strings directly into fixed-size character arrays within the ColossusConfig struct without any bounds checking. Any argument exceeding the buffer size (typically 256 or 512 bytes) will overflow into adjacent struct members or stack memory, enabling arbitrary code execution.

Evidence

Exploitation scenario: Execute: ./colossus -cipher $(python3 -c "print('A'*4096)") -type 0 -ngramsize 4 -ngramfile eng_quadgrams.txt.

Scanner confirmation: multi_agent_ai rule V-001 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Changes

  • colossus.c

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Security Invariant

Property: The security boundary is maintained under adversarial input

Regression test 
#include <check.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <unistd.h>

START_TEST(test_argv_buffer_overflow_invariant)
{
    /* Invariant: Processing adversarial argv strings must not cause
       memory corruption (crash/signal) — the program must exit cleanly
       or with a controlled error, never via SIGSEGV/SIGABRT. */
    const char *payloads[] = {
        /* Exact exploit: 512-byte overflow exceeding typical buffer */
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
        /* Boundary: exactly 255 chars (one under typical 256-byte buffer) */
        "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
        "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
        "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
        "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
        /* Valid: short benign filename */
        "input.txt",
    };
    int num_payloads = sizeof(payloads) / sizeof(payloads[0]);

    for (int i = 0; i < num_payloads; i++) {
        pid_t pid = fork();
        ck_assert_msg(pid >= 0, "fork failed");

        if (pid == 0) {
            /* Child: invoke colossus with -c <payload> and redirect output */
            execl("./colossus", "colossus", "-c", payloads[i], NULL);
            _exit(127); /* exec failed */
        } else {
            int status = 0;
            waitpid(pid, &status, 0);

            if (WIFSIGNALED(status)) {
                int sig = WTERMSIG(status);
                /* SIGSEGV=11, SIGABRT=6, SIGBUS=7 indicate memory corruption */
                ck_assert_msg(sig != SIGSEGV && sig != SIGABRT && sig != SIGBUS,
                    "colossus crashed with signal %d on payload[%d] — "
                    "buffer overflow detected", sig, i);
            }
            /* Controlled exit (any code) or normal termination is acceptable */
        }
    }
}
END_TEST

Suite *security_suite(void)
{
    Suite *s;
    TCase *tc_core;

    s = suite_create("Security");
    tc_core = tcase_create("Core");
    tcase_set_timeout(tc_core, 10);
    tcase_add_test(tc_core, test_argv_buffer_overflow_invariant);
    suite_add_tcase(s, tc_core);

    return s;
}

int main(void)
{
    int number_failed;
    Suite *s;
    SRunner *sr;

    s = security_suite();
    sr = srunner_create(s);

    srunner_run_all(sr, CK_NORMAL);
    number_failed = srunner_ntests_failed(sr);
    srunner_free(sr);

    return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}

This test guards against regressions — it's useful independent of the code change above.

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-001 security vulnerability
86281ec 
Automated security fix generated by OrbisAI Security
@orbisai0security
fix: use bounded strlcpy/snprintf in colossus.c
12595ce 
Seven separate strcpy calls in the command-line argument parsing section of colossus
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@orbisai0security