...
The above code does contain an intractable TOCTOU race condition; where an attacker could can alter the file referenced by filename following the call to lstat() but before the call to open(). The switch will be discovered after the file is opened, but opening the file cannot be prevented in the case where this action itself causes undesired behavior.
There are essentially four cases that could can result from an attacker switching out the file for one of the following:
Type | Note on effect |
|---|
another regular file | The fstat() verification fails |
FIFO | Either open() will return -1 and set errno to ENXIO or the open() will succeed and the fstat() verification will fail |
symbolic link | open() will return -1 if O_NOFOLLOW is available, otherwise the fstat() verification will fail |
special device | Usually the fstat() verification will fail on st_mode. This could can still be a problem if the device is one for which just opening (or closing) it causes something to happen. If st_mode compares equal, then the device is one which, after opening, appears to be a regular file. It would then fail the fstat() verification on st_dev and st_ino (unless it happens to be the same file, as could happen with /dev/fd/* on Solaris, but this would not be a problem) |
...
