SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 116

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 117

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Failing to close files when they are no longer needed may allow attackers to exhaust, and possibly manipulate, system resources. This phenomenon is typically referred to as file descriptor leakage, although file pointers may also be used as an attack vector. In addition, keeping files open longer than necessary increases the risk that data written into in-memory file buffers will not be flushed in the event of abnormal program termination. To prevent file descriptor leaks and to guarantee that any buffered data will be flushed into permanent storage, files must be closed when they are no longer needed.

Since the The behavior of a program is undefined when it uses the value of a pointer to a FILE object after the associated file is closed. (see See undefined behavior 140 in Annex J.2 of C99.) , programs Programs that close the standard streams (especially stdout, but also stderr and stdin) must be careful not to use the stream objects in subsequent function calls, especially those that implicitly operate on such objects (such as printf(), perror(), and getc()).

...

Wiki Markup
In this noncompliant code example, derived from a [vulnerability|BB. Definitions#vulnerability] in OpenBSD's {{chpass}} program \[[NAI 981998|AA. Bibliography#NAI 98]\], a file containing sensitive data is opened for reading. The program then retrieves the registered editor from the {{EDITOR}} environment variable and executes it using the {{system()}} function. If the {{system()}} function is implemented in a way that spawns a child process, then the child process inherits the file descriptors opened by its parent. As a result, the child process, which in this example is the program specified by the {{EDITOR}} environment variable, will be able to access the contents of the potentially sensitive file called {{file_name}}.

...

Wiki Markup
Some systems (such as those with Linux kernel versions greater than or equal to 2.6.23) have an {{O_CLOEXEC}} flag that provides the close-on-exec function directly in {{open()}}. This flag is required by POSIX.1-2008 \[[Austin Group 082008|AA. Bibliography#Austin Group 08]\]. In multithreaded programs, this flag should be used, if possible, because it prevents a timing hole between {{open()}} and {{fcntl()}} when using {{FD_CLOEXEC}}, during which another thread can create a child process while the file descriptor does not have close-on-exec set.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO42-C

medium

unlikely

medium

P4

L3

Automated Detection

...

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Fortify SCA

Section

V. 5.0

 

Section

can detect violations of this

...

rule with CERT C Rule Pack

...

Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V
Section

RH.LEAK

 

Section

Compass/ROSE

 

 

 

Klocwork can detect violations of this rule with the RH.LEAK checker.  See Klocwork Cross Reference

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

CERT This rule appears in the C++ Secure Coding Standard as : FIO42-CPP. Ensure files are properly closed when they are no longer needed.This rule appears

The CERT Oracle in the Java Secure Coding Standard as for Java: FIO06-J. Ensure all resources are properly closed when they are no longer needed.

MITRE CWE: CWE-404, "Improper Resource Shutdown or Release"

MITRE CWE: CWE-403, "UNIX File Descriptor Leak"

MITRE CWE: CWE-770, "Allocation of Resources Without Limits or Throttling"

Bibliography

Wiki Markup
\[[Austin Group 082008|AA. Bibliography#Austin Group 08]\]
\[[Dowd 062006|AA. Bibliography#Dowd 06]\] Chapter 10, "UNIX Processes" (File Descriptor Leaks 582-587)
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE-404|http://cwe.mitre.org/data/definitions/404.html], "Improper Resource Shutdown or Release," and [CWE-403|http://cwe.mitre.org/data/definitions/403.html], "UNIX File Descriptor Leak," [CWE-770|http://cwe.mitre.org/data/definitions/770.html], "Allocation of Resources Without Limits or Throttling"
\[[MSDN|AA. Bibliography#MSDN]\] [Inheritance|http://msdn.microsoft.com/en-us/library/ms683463.aspx] (Windows)
\[[NAI 981998|AA. Bibliography#NAI 98]\]

...