Szczegóły CWE-1341

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

Sposoby wprowadzenia

Implementation

Odpowiednie platformy

Język

Name: Java (Undetermined)
Name: Rust (Undetermined)
Class: Not Language-Specific (Undetermined)
Name: C (Undetermined)
Name: C++ (Undetermined)

Systemy operacyjne

Class: Not OS-Specific (Undetermined)

Architektury

Class: Not Architecture-Specific (Undetermined)

Technologie

Class: Not Technology-Specific (Undetermined)

Typowe konsekwencje

Zaobserwowane przykłady

Potencjalne środki zaradcze

Phases : Implementation
Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals.
Phases : Implementation
It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.
Phases : Implementation
When closing a resource, set the resource's associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data.

Metody wykrywania

Automated Static Analysis

For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.

Automated Dynamic Analysis

Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.

Uwagi dotyczące mapowania podatności

Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notatki

The terms related to "release" may vary depending on the type of resource, programming language, specification, or framework. "Close" has been used synonymously for the release of resources like file descriptors and file handles. "Return" is sometimes used instead of Release. "Free" is typically used when releasing memory or buffers back into the system for reuse.

Odniesienia

REF-1198

close - Perldoc Browser
https://perldoc.perl.org/functions/close

REF-1199

io - Core tools for working with streams — Python 3.9.7 documentation
https://docs.python.org/3.9/library/io.html#io.IOBase.close

REF-1200

FileOutputStream (Java Platform SE 7 )
https://docs.oracle.com/javase/7/docs/api/java/io/FileOutputStream.html

REF-1201

FileOutputStream (Java SE 11 & JDK 11 )
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/FileOutputStream.html

Zgłoszenie

Modyfikacje