mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-22 10:10:14 -04:00
6082274450
The function existence-checked the target with stat() and then opened the same path without O_NOFOLLOW, so a symlink at the target path passed the regular-file test against the link's destination and the open() that followed truncated and wrote through the link. rndc-confgen -a is typically run as root and writes the keyfile under a directory that service accounts may have write access to, so a stray symlink there would silently redirect the truncate, fchown, and overwrite to whatever file the link pointed at. Switch the existence check to lstat() and use S_ISREG() so a symlink's S_IFLNK mode is detected directly (a plain bitmask of S_IFREG matches both, since S_IFLNK shares its high bit). Add O_NOFOLLOW to both open() flag sets to close the lstat/open TOCTOU window. Hardening against unexpected symlinks on intermediate path components is out of scope. Assisted-by: Claude:claude-opus-4-7 |
||
|---|---|---|
| .. | ||
| dns | ||
| isc | ||
| isccc | ||
| isccfg | ||
| ns | ||
| .gitignore | ||
| meson.build | ||