Closed Bug 1232943 Opened 9 years ago Closed 8 years ago

[CID 749674] NSS TOCTOU

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox46 affected)

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox46 --- affected

People

(Reporter: franziskus, Unassigned)

References

Details

(Keywords: coverity, Whiteboard: CID749674) 

Possible TOCTOU between stat(path, &sbuf) and open(path, in the following code

mktemp.c:102
>	for (start = trv + 1;; --trv) {
>		char saved;
>		if (trv <= path)
>			break;
>		saved = *trv;
>		if (saved == '/' || saved == '\\') {
>			int rv;
>			*trv = '\0';
>			rv = stat(path, &sbuf);
>			*trv = saved;
>			if (rv)
>				return(0);
>			if (!S_ISDIR(sbuf.st_mode)) {
>				errno = ENOTDIR;
>				return(0);
>			}
>			break;
>		}
>	}
> 
>	for (;;) {
>		if (doopen) {
>			if ((*doopen =
>			    open(path, O_CREAT|O_EXCL|O_RDWR|extraFlags, 0600)) = 0)
>				return(1);
>			if (errno != EEXIST)
>				return(0);
>		}
I don't think this is a problem. Due to the temporarily placed null characters, the calls to stat are never the same as what's passed to open.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Group: crypto-core-security
You need to log in before you can comment on or make changes to this bug.