SECURITY: C directory creation code has buffer overflow vulnerability in path handling #908
Description
Problem Description
The C directory creation code contains buffer overflow vulnerabilities in path string handling that could allow arbitrary code execution through crafted directory paths.
Evidence
File: src/system/fortplot_mkdir_windows.c
Lines: 53-55, 131-133, MAX_PATH usage
Buffer Overflow #1: Windows Path Handling
// Lines 53-55: Unsafe string copy without bounds checking
char parent[MAX_PATH];
strncpy(parent, path, MAX_PATH - 1); // Potential overflow if path longer than MAX_PATH
parent[MAX_PATH - 1] = '\0';Buffer Overflow #2: Unix Path Handling
// Lines 131-133: Memory allocation without size validation
char* parent = strdup(path); // No length check on input path
if (!parent) return 0;Path Length Validation Missing
The C functions receive paths from Fortran without any length validation:
- Fortran validates MAX_PATH_LENGTH = 4096 characters
- Windows MAX_PATH = 260 characters (much smaller)
- Unix has no consistent PATH_MAX across systems
Technical Analysis
Attack Vector #1: Path Length Exploitation
! Fortran allows up to 4096 characters
character(len=4096) :: malicious_path = repeat('A', 4096)
call create_directory_runtime(malicious_path, success)// Windows C code only expects MAX_PATH (260 chars)
char parent[MAX_PATH]; // 260 bytes
strncpy(parent, path, MAX_PATH - 1); // Overflow if path > 259 charsAttack Vector #2: Format String Vulnerabilities
While not directly present, the path handling creates conditions for format string attacks in debug output.
Platform Inconsistency
- Fortran validation: 4096 character limit
- Windows C code: 260 character assumption (MAX_PATH)
- Unix C code: No length limit validation with strdup()
Security Implications
Windows Platform
- Stack buffer overflow: parent[MAX_PATH] buffer can be overflowed
- Code execution: Attacker controls return address through stack overflow
- Privilege escalation: Directory creation often runs with elevated privileges
Unix Platform
- Heap exhaustion: strdup() with massive paths causes memory exhaustion DoS
- Memory corruption: Subsequent operations on oversized paths corrupt heap
- Path traversal amplification: Long paths may bypass security checks
Real-World Exploitability
Attack Scenario
- Attacker provides path > 260 characters on Windows
- Fortran validation passes (4096 limit)
- C code overflows parent[MAX_PATH] buffer
- Return address overwritten, arbitrary code execution
Mitigation Bypass
Current Fortran validation doesn't prevent this attack:
! Line 180-186: Fortran checks 4096 limit, not platform-specific limits
if (path_len > MAX_PATH_LENGTH) then ! MAX_PATH_LENGTH = 4096Required Fix
Immediate (Security Critical)
// Windows: Use safe string functions
char parent[MAX_PATH];
if (strlen(path) >= MAX_PATH) return 0; // Reject oversized paths
strncpy_s(parent, MAX_PATH, path, MAX_PATH - 1);
// Unix: Validate length before strdup
if (strlen(path) > PATH_MAX) return 0; // Platform-specific limit
char* parent = strndup(path, PATH_MAX);Architectural Fix
Align Fortran and C path length limits:
! Update Fortran validation to match C platform limits
integer, parameter :: MAX_PATH_LENGTH = 260 ! Windows compatibilityPriority
CRITICAL - Buffer overflow vulnerability allows arbitrary code execution through directory creation paths. Must be patched immediately before any security-sensitive deployment.