...
| Code Block | ||
|---|---|---|
| ||
struct stat lstat_info;
int fd;
if (lstat("some_file", &lstat_info) == -1) {
/* handle error */
}
if (!S_ISLNK(lstat_info.st_mode)) {
if ((fd = open("some_file", O_RDWR)) == -1) {
/* handle error */
}
}
write(fd, userbuf, userlen);
|
Unfortunately this code is vulnerable to a TOCTOU race condition. An attacker merely has to create the malicious linked file after the lstat() function but before the open() function.
Compliant Solution (Linux 2.1.26+, FreeBSD, Solaris 10, POSIX.1-2008)
...