Read Time:1 Minute, 20 Second
Description
The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.
Modes of Introduction:
– Implementation
Related Weaknesses
CWE-675
CWE-672
Consequences
Availability, Integrity: DoS: Crash, Exit, or Restart
Potential Mitigations
Phase: Implementation
Description:
Change the code’s logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals.
Phase: Implementation
Description:
It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.
Phase: Implementation
Effectiveness: Defense in Depth
Description:
When closing a resource, set the resource’s associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data.
CVE References
- CVE-2019-13351
- file descriptor double close can cause the wrong file to be associated with a file descriptor.
- CVE-2006-5051
- Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).
- CVE-2004-0772
- Double free resultant from certain error conditions.
