SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 22

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
char *filename;
struct stat lstat_info
struct stat fstat_info;
int fd;
/* ... */
if (lstat(filename, &lstat_info) == -1) {
  /* handle error */
}
if ((fd = open(filename, O_RDWR)) == -1) {
  /* handle error */
}
if (fstat(fd, &fstat_info) == -1) {
  /* handle error */
}
if (lstat_info.st_mode == fstat_info.st_mode &&
    lstat_info.st_ino == fstat_info.st_ino  &&
    lstat_info.st_dev == fstat_info.st_dev) {
  write(fd, userbuf, userlen);
}

Wiki MarkupThis eliminates the TOCTOU condition because {{fstat()}} is applied to file descriptors, not file names, so the file passed to {{fstat()}} must be identical to the file that was opened. The {{lstat()}} function does not follow symbolic links, but {{open()}} does. Comparing modes using the {{st_mode}} field is sufficient to check for a symbolic link.

Wiki Markup

Comparing i-nodes using the {{st_ino}} fields and devices using the {{st_dev}} fields ensures that the file passed to {{lstat()}} is the same as the file passed to {{fstat()}} \[[FIO05-A. Identify files using multiple file attributes]\].

Wiki Markup
POSIX.1-2008 \[[Austin Group 08|AA. C References#Austin Group 08]\] adds an {{fstatat()}} function.  The {{fstatat()}} is similar to the {{fstat()}} function, but provides an {{AT_SYMLINK_NOFOLLOW}} flag.  The {{AT_SYMLINK_NOFOLLOW}} flag instructs {{fstatat()}} to return the status of the symbolic link instead of following it, if one is specified.

Code Block
bgColor#ccccff

char *filename;
struct stat fstatat_info;
int fd;
/* ... */

if (fstatat(fd, filename, &fstatat_info, AT_SYMLINK_NOFOLLOW) == -1) {
  /* handle error */
}
if (!S_ISLNK(fstatat_info.st_mode)) {
   if ((fd = open(filename, O_RDWR)) == -1) {
       /* handle error */
   }
}
write(fd, userbuf, userlen);

It is important in this example that filename specifies an absolute path. If path specifies a relative path, the status is retrieved from a file relative to the directory associated with the file descriptor fd

.

Time of creation to time of use (TOCTOU) race condition vulnerabilities can be exploited to gain elevated privileges.

...