CWE-663 – Use of a Non-reentrant Function in a Concurrent Context

Read Time:40 Second

Description

The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-662

 

Consequences

Integrity, Confidentiality, Other: Modify Memory, Read Memory, Modify Application Data, Read Application Data, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Description: 

Use reentrant functions if available.

Phase: Implementation

Description: 

Add synchronization to your non-reentrant function.

Phase: Implementation

Description: 

In Java, use the ReentrantLock Class.

CVE References

  • CVE-2001-1349
    • unsafe calls to library functions from signal handler
  • CVE-2004-2259
    • SIGCHLD signal to FTP server can cause crash under heavy load while executing non-reentrant functions like malloc/free.