SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 54

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 55

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Many common operating systems, such as Windows and UNIX, support symbolic (soft) links. Symbolic links can be created in UNIX using the ln -s command or in Windows by using directory junctions in NTFS or the Linkd.exe (Win 2K resource kit) or "junction" freeware.

...

This code contains a time-of-creation-tocheck-time-of-use (TOCTOU) race condition between the call to lstat() and the subsequent call to open() because both functions operate on a file name that can be manipulated asynchronously to the execution of the program. (see See recommendation FIO01-C. Be careful using functions that use file names for identification.).

This compliant solution eliminates the race condition by

...

This code eliminates the TOCTOU condition because fstat() is applied to file descriptors, not file names, so the file passed to fstat() must be identical to the file that was opened. The lstat() function does not follow symbolic links, but open() does. Comparing modes using the st_mode field is sufficient to check for a symbolic link.

Comparing i-nodes, using the st_ino fields, and devices, using the st_dev fields, ensures that the file passed to lstat() is the same as the file passed to fstat(). (see See recommendation FIO05-C. Identify files using multiple file attributes.).

TOCTOU race condition vulnerabilities can be exploited to gain elevated privileges.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

POS35-C

high

likely

medium

P18

L1

Tool

Version

Checker

Description

Section

Compass/ROSE

 

 

Section

can detect some violations of this rule. In particular, it ensures that calls to open() that are preceded by a call to lstat() are also followed by a call to fstat()

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Wiki Markup\[[Dowd 06|AA. Bibliography#Dowd 06]\] Chapter 9, "UNIX 1: Privileges and Files" \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.19, "Input/output <stdio.h>"

MITRE CWE: CWE-363, "Race Condition Enabling Link Following"

MITRE CWE: CWE-365, "Race Condition in Switch"

Wiki Markup
\[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 9, "UNIX 1: Privileges and Files
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 363|http://cwe.mitre.org/data/definitions/363.html], "Race Condition Enabling Link Following", and [CWE ID 365|http://cwe.mitre.org/data/definitions/365.html] "Race Condition in Switch"
\[[Open Group 042004|AA. Bibliography#Open Group 04]\] [lstat()|http://www.opengroup.org/onlinepubs/000095399/functions/lstat.html], [fstat()|http://www.opengroup.org/onlinepubs/009695399/functions/fstat.html], [open()|http://www.opengroup.org/onlinepubs/009695399/functions/open.html]
\[[Seacord 05a2005a|AA. Bibliography#Seacord 05]\] Chapter 7, "File I/O"

...