A call to the fopen() or freopen() function must be matched with a call to fclose() before the lifetime of the last pointer object that stores the return value of the call has ended, or before program termination, whichever occurs first.

In general, this rule can also be applied to other functions with open and close resources, such as the POSIX open() and close() functions, or the Microsoft Windows CreateFile() and CloseHandle() functions.

Noncompliant Code Example

This code example is noncompliant because the resource allocated by the call to fopen() is not closed before function func() returns.

#include <stdio.h>
 
int func(const char *filename) {
  FILE *f = fopen(filename, "r"); 
  if (NULL == f) {
    return -1;
  }

  /* ... */

  return 0;
}

Compliant Solution

In this compliant solution, f is closed before returning to the caller:

#include <stdio.h>
 
int func(const char *filename) {
  FILE *f = fopen(filename, "r"); 
  if (NULL == f) {
    return -1;
  }

  /* ... */

  if (fclose(f) == EOF) {
    return -1;
  }
  return 0;
}

Noncompliant Code Example (exit())

This code example is noncompliant because the resource allocated by the call to fopen() is not closed before the program terminates.  Although exit() closes the file, if any error occurs when flushing or closing the file, the program has no way of knowing about it.

#include <stdio.h>
#include <stdlib.h>
  
int main(void) {
  FILE *f = fopen(filename, "w"); 
  if (NULL == f) {
    /* Handle error */
  }

  /* ... */

  exit(EXIT_SUCCESS);
}

Compliant Solution (exit())

In this compliant solution, the program closes f explicitly before it calls exit(), allowing it to handle any error that occurs when flushing or closing the file:

#include <stdio.h>
#include <stdlib.h>

int main(void) {
  FILE *f = fopen(filename, "w"); 
  if (NULL == f) {
    /* Handle error */
  }

  /* ... */

  if (fclose(f) == EOF) {
    /* Handle error */
  }

  exit(EXIT_SUCCESS);
}

Noncompliant Code Example (POSIX)

This code example is noncompliant because the resource allocated by the call to open() is not closed before function func() returns.

#include <stdio.h>
#include <fcntl.h>
 
int func(const char *filename) {
  int fd = open(filename, O_RDONLY, S_IRUSR);
  if (-1 == fd) {
    return -1
  }

  /* ... */

  return 0;
}

Compliant Solution (POSIX)

In this compliant solution, fd is closed before returning to the caller:

#include <stdio.h>
#include <fcntl.h>
 
int func(const char *filename) {
  int fd = open(filename, O_RDONLY, S_IRUSR);
  if (-1 == fd) {
    return -1
  }

  /* ... */

  if (close(fd) == -1) {
    return -1;
  }
  return 0;
}

Noncompliant Code Example (Windows)

In this noncompliant code example, a file is opened using the Microsoft Windows CreateFile() API, but it is not subsequently closed before func() returns.

#include <Windows.h>
 
int func(LPCTSTR filename) {
  HANDLE hFile = CreateFile(filename, GENERIC_READ, 0, NULL,
                            OPEN_EXISTING,
                            FILE_ATTRIBUTE_NORMAL, NULL);
  if (INVALID_HANDLE_VALUE == hFile) {
    return -1;
  }
 
  /* ... */
 
  return 0;
}

Compliant Solution (Windows)

In this compliant solution, hFile is closed using the CloseHandle() API before returning to the caller.

#include <Windows.h>
 
int func(LPCTSTR filename) {
  HANDLE hFile = CreateFile(filename, GENERIC_READ, 0, NULL,
                            OPEN_EXISTING,
                            FILE_ATTRIBUTE_NORMAL, NULL);
  if (INVALID_HANDLE_VALUE == hFile) {
    return -1;
  }
 
  /* ... */
 
  if (!CloseHandle(hFile)) {
    return -1;
  }
 
  return 0;
}

Risk Assessment

Failing to properly close files may allow an attacker to exhaust system resources and increases the risk that data written into in-memory file buffers will not be flushed in the event of abnormal program termination. .

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO42-C

Medium

Unlikely

Medium

P4

L3

Automated Detection

This rule is stricter than rule [fileclose] in TS 17961. Analyzers that conform to the TS may not detect all violations of this rule.

Tool

Version

Checker

Description

Compass/ROSE

   

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack

Klocwork

RH.LEAK

 

LDRA tool suite

49 D

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding StandardFIO42-CPP. Ensure files are properly closed when they are no longer needed
CERT Oracle Secure Coding Standard for JavaFIO04-J. Release resources when they are no longer needed
ISO/IEC TS 17961Failing to close files or free dynamic memory when they are no longer needed [fileclose]
MITRE CWECWE-404, Improper resource shutdown or release

Bibliography

[IEEE Std 1003.1:2013]XSH, System Interfaces, open