Page History

...

This POSIX code example verifies that each subsequent file access operates on the same file. In POSIX, every file can be uniquely identified by using its device and i-node attributes. This code example checks that a file name refers to a regular file (and not a directory, symbolic link, or other special file) by invoking lstat(). This call also retrieves its device and i-node. The file is subsequently opened. Finally, the program verifies that the file that was opened is the same one (matching device and i-nodes) as the file that was confirmed as a regular file.

#include <sys/stat.h>
#include <fcntl.h>

int open_regular_file(char *filename, int flags) {
  struct stat lstat_info;
  struct stat fstat_info;
  int f;
 
  if (lstat(filename, &lstat_info) == -1) {
    /* File does not exist, handle error */
  }
 
  if (!S_ISREG(lstat_info.st_mode)) {
    /* File is not a regular file, handle error */
  }
 
  if ((f = open(filename, flags)) == -1) {
    /* File has disappeared, handle error */
  }
 
  if (fstat(f, &fstat_info) == -1) {
    /* Handle error */
  }
 
  if (lstat_info.st_ino != fstat_info.st_ino  ||
      lstat_info.st_dev != fstat_info.st_dev) {
    /* Open file is not the expected regular file, handle error */
  }
 
  /* f is the expected regular open file */
  return f;
}

...

TOCTOU race conditions can result in unexpected behavior, including privilege escalation.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

...

...