# CWE-362 – Race Condition

**A race condition occurs within concurrent environments and is effectively a property of a code sequence.**

* Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc.

A race condition violates basic properties:

* **Exclusivity** - the code sequence is given **exclusive access to the shared resource**.
  * no other code sequence can modify the properties of the shared resource before the original sequence has completed execution.
* **Atomicity** - the code sequence is **behaviorally atomic**.
  * no other thread or process can concurrently execute the same sequence of instructions (or a subset) against the same resource.

Race condition exists when an "interfering code sequence" can still access the shared resource, violating exclusivity.

Programmers may assume that certain code sequences execute too quickly to be affected by an interfering code sequence; when they are not, this violates atomicity.

* “too quickly” may degrade with time to slower execution as functionality is added.
* “too quickly” is system dependent.

E-commerce application that supports transfers between accounts.

* It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.

Race condition between.

* GetBalanceFromDatabase()
* SendNewBalanceToDatabase()

<pre class="language-php"><code class="lang-php">$transfer_amount = GetTransferAmount();
$balance = GetBalanceFromDatabase();

if ($transfer_amount &#x3C; 0) {
<strong>    FatalError("Bad Transfer Amount");
</strong><strong>}
</strong><strong>
</strong>$newbalance = $balance - $transfer_amount;

if (($balance - $transfer_amount) &#x3C; 0) {
    FatalError("Insufficient Funds");
}
    
SendNewBalanceToDatabase($newbalance);
NotifyUser("Transfer of $transfer_amount succeeded.");
NotifyUser("New balance: $newbalance");
</code></pre>

## Example - Banking

```php
$transfer_amount = GetTransferAmount();
$balance = GetBalance();

if ($transfer_amount < 0) {
    FatalError("Bad Transfer Amount");
}

$nb = $balance - $transfer_amount;

if (($balance - $transfer_amount) < 0) {
    FatalError("Insufficient Funds");
}

SetNewBalanceToDB($nb);
NotifyUser("Transfer of $transfer_amount succeeded.");
NotifyUser("New balance: $newbalance");
```

The balance could have changed between the instructions:

* ```php
  $balance = GetBalance();
  ```
* ```php
  if (($balance - $transfer_amount) < 0) ...
  ```

Other operations could have happened between these lines. `$newbalance` is set to a static value.

<figure><img src="/files/GYxyTDZqWttEXaLaDS1M" alt=""><figcaption></figcaption></figure>

* Initial balance: 1000€
* Total transferred out: 1100€
* Final balance: 800€
* Result: Bank lost 700€


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/analysis-and-exploration-of-vulnerabilities/concurrency/basic-time-related-cwes/cwe-362-race-condition.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.