...
If not properly performed, checking for the existence of symbolic links can lead to race conditions.
Noncompliant Code Example
The POSIX lstat() function collects information about a symbolic link rather than its target. This noncompliant code example uses the lstat() function to collect information about the file, checks the st_mode field to determine if the file is a symbolic link, and then opens the file if it is not a symbolic link.
...
This code contains a time-of-check, time-of-use (TOCTOU) race condition between the call to lstat() and the subsequent call to open() because both functions operate on a file name that can be manipulated asynchronously to the execution of the program. (See FIO01-C. Be careful using functions that use file names for identification.)
Compliant Solution
This compliant solution eliminates the race condition by
...
Comparing i-nodes, using the st_ino fields, and devices, using the st_dev fields, ensures that the file passed to lstat() is the same as the file passed to fstat(). (See FIO05-C. Identify files using multiple file attributes.)
Risk Assessment
TOCTOU race condition vulnerabilities can be exploited to gain elevated privileges.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
POS35-C | high | likely | medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
Compass/ROSE |
|
| Can detect some violations of this rule. In particular, it ensures that calls to |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:2011 Section 7.21, "Input/output <stdio.h>"
...
MITRE CWE: CWE-365, "Race Condition in Switch"
Sources
[Dowd 2006] Chapter 9, "UNIX 1: Privileges and Files"
[Open Group 2004] lstat(), fstat(), open()
[Seacord 2005a] Chapter 7, "File I/O"
...