RFR: JDK-8262199: TOCTOU in jli args.c

Christoph Langer clanger at openjdk.java.net
Tue Feb 23 14:08:43 UTC 2021


On Tue, 23 Feb 2021 13:58:03 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> Sonar reports a finding in args.c, where a file check is done .
> Stat performs a check on file, and later fopen is called on the file :
> https://sonarcloud.io/project/issues?id=shipilev_jdk&languages=c&open=AXck8CL0BBG2CXpcnhtM&resolved=false&types=VULNERABILITY
> 
> The coding could be slightly rewritten so that the potential TOCTOU is removed (however I do not think that it is such a big issue).

This looks good in general. Do you know whether there's a jtreg test that stresses arg files?

src/java.base/share/native/libjli/args.c line 361:

> 359:     if (fptr != NULL) fclose(fptr);
> 360:     exit(1);
> 361: }

Can you insert a blank line here?

-------------

Changes requested by clanger (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/2692


More information about the core-libs-dev mailing list