Many common operating systems, such as Windows and UNIX, support symbolic (soft) links. Symbolic links can be created in UNIX using the
ln -s command or in Windows by using directory junctions in NTFS or the Linkd.exe (Win 2K resource kit) or "junction" freeware.
If not properly performed, checking for the existence of symbolic links can lead to race conditions.
This rule is a specific instance of rule FIO45-C. Avoid TOCTOU race conditions while accessing files.
Noncompliant Code Example
lstat() function collects information about a symbolic link rather than its target. This noncompliant code example uses the
lstat() function to collect information about the file, checks the
st_mode field to determine if the file is a symbolic link, and then opens the file if it is not a symbolic link:
This code contains a time-of-check, time-of-use (TOCTOU) race condition between the call to
lstat() and the subsequent call to
open() because both functions operate on a file name that can be manipulated asynchronously to the execution of the program. (See FIO01-C. Be careful using functions that use file names for identification.)
Compliant Solution (POSIX.1-2008 or newer)
This compliant solution eliminates the race condition by using
O_NOFOLLOW to cause
open() to fail if passed a symbolic link, avoiding the TOCTOU by not having a separate "check" and "use":
Compliant Solution (POSIX.1-2001 or older)
This compliant solution eliminates the race condition by
lstat()on the file name.
open()to open the file.
fstat()on the file descriptor returned by
- Comparing the file information returned by the calls to
fstat()to ensure that the files are the same.
This code eliminates the TOCTOU condition because
fstat() is applied to file descriptors, not file names, so the file passed to
fstat() must be identical to the file that was opened. The
lstat() function does not follow symbolic links, but
open() does. Comparing modes using the
st_mode field is sufficient to check for a symbolic link.
Comparing i-nodes, using the
st_ino fields, and devices, using the
st_dev fields, ensures that the file passed to
lstat() is the same as the file passed to
fstat(). (See FIO05-C. Identify files using multiple file attributes.)
TOCTOU race condition vulnerabilities can be exploited to gain elevated privileges.
|Axivion Bauhaus Suite|
Can detect some violations of this rule. In particular, it ensures that calls to
DF4886, DF4887, DF4888
Avoid race conditions while checking for the existence of a symbolic link
|Polyspace Bug Finder|
|CERT C: Rule POS35-C|
Checks for file access between time of check and use (TOCTOU) (rule fully covered)
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Key here (explains table format and definitions)
|CWE 2.11||CWE-363, Race condition enabling link following||2017-07-07: CERT: Exact|
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-764 and POS51-C/POS35-C
Independent( CWE-764, POS51-C, POS35-C)
CWE-764 is about semaphores, or objects capable of being locked multiple times. Deadlock arises from multiple locks being acquired in a cyclic order, and generally does not arise from semaphores or recursive mutexes.
|[Dowd 2006]||Chapter 9, "UNIX 1: Privileges and Files"|
|[ISO/IEC 9899:2011]||Section 7.21, "Input/output |
|[Open Group 2004]||lstat() |
|[Seacord 2013]||Chapter 8, "File I/O"|