Closed
Bug 1232945
Opened 9 years ago
Closed 8 years ago
[CID 222503] NSS TOCTOU
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(firefox46 affected)
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox46 | --- | affected |
People
(Reporter: franziskus, Unassigned)
References
Details
(Keywords: coverity, Whiteboard: CID222503)
Possible TOCTOU in the following code between stat(file, &statbuf) and open(file, flags, mode)
hash.c:169
> if (!file || (flags & O_TRUNC) || (stat(file, &statbuf) && (errno == ENOENT)))
> {
> if (errno == ENOENT)
> errno = 0; /* Just in case someone looks at errno */
> new_table = 1;
> }
> else if(statbuf.st_mtime && statbuf.st_size == 0)
> {
> /* check for a zero length file and delete it
> * if it exists
> */
> new_table = 1;
> }
> hashp->file_size = statbuf.st_size;
>
> if (file) {
>#if defined(_WIN32) || defined(_WINDOWS) || defined (macintosh) || defined(XP_OS2)
> if ((hashp->fp = DBFILE_OPEN(file, flags | O_BINARY, mode)) == -1)
> RETURN_ERROR(errno, error1);
>#else
> if ((hashp->fp = open(file, flags, mode)) == -1)
> RETURN_ERROR(errno, error1);
(For context, the hash.c file in question appears to be lib/dbm/src/hash.c) I don't think this is an issue, since the file is opened regardless of the results of the stat call. It does look like the file size is obtained in a potentially untrustworthy way, but even if that could cause problems, this requires local file system access, in which case an attacker can do much worse things in easier ways.
Reporter | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Updated•8 years ago
|
Group: crypto-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•