Standard FILE objects and their underlying representation (file descriptors on POSIX platforms or handles elsewhere) are a finite resource that must be carefully managed. The number of files that an implementation guarantees may be open simultaneously is bounded by the FOPEN_MAX macro defined in <stdio.h>. The value of the macro is guaranteed to be at least 8. Thus, portable programs must either avoid keeping more than FOPEN_MAX files at the same time or be prepared for functions such as fopen() to fail due to resource exhaustion.
...
The behavior of a program is undefined when it uses the value of a pointer to a FILE object after the associated file is closed. (See undefined behavior 148 in Annex J of the C Standard.) Programs that close the standard streams (especially stdout but also stderr and stdin) must be careful not to use the stream objects in subsequent function calls, especially particularly those that implicitly operate on such objects (such as printf(), perror(), and getc()).
...
In this noncompliant code example, derived from a vulnerability in OpenBSD's chpass program [NAI 1998], a file containing sensitive data is opened for reading. In the get_validated_editor() method, the program retrieves the registered editor from the EDITOR environment variable, sanitizes it to be a valid editor, in accordance with FIO02-C. Canonicalize path names originating from untrusted sources, and returns a command for invoking the editor. Back in func(), the program then executes the editor using the system() function. If the system() function is implemented in a way that spawns a child process, then the child process could inherit the file descriptors opened by its parent. If this happens, as it does in POSIX systems, the child process will be able to access the contents of the potentially sensitive file called file_name.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <stdlib.h>
extern const char *get_validated_editor(void);
void func(const char *file_name) {
FILE *f;
const char *editor;
f = fopen(file_name, "r");
if (f == NULL) {
/* Handle error */
}
fclose(f);
f = NULL;
editor = get_validated_editor();
if (editor == NULL) {
/* Handle error */
}
/* Sanitize environment before calling system(). */
if (system(editor) == -1) {
/* Handle error */
}
} |
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO42-C | mediumMedium | unlikelyUnlikely | mediumMedium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
5.0 | Can detect violations of this rule with CERT C Rule Pack | ||||||||
| RH.LEAK | ||||||||
| 49 D | Fully implemented |
...
| CERT C Secure Coding Standard | WIN03-C. Understand HANDLE inheritance |
| CERT C++ Secure Coding Standard | FIO42-CPP. Ensure files are properly closed when they are no longer needed |
| CERT Oracle Secure Coding Standard for Java | FIO04-J. Release resources when they are no longer needed |
| ISO/IEC TR 17961 (Draft) | Failing to close files or free dynamic memory when they are no longer needed [fileclose] |
| MITRE CWE | CWE-403, UNIX file descriptor leak CWE-404, Improper resource shutdown or release CWE-770, Allocation of resources without limits or throttling |
...