ABSTRACT

The program can potentially fail to release a file handle.

EXPLANATION

The program can potentially fail to release a file handle.


Resource leaks have at least two common causes:

- Error conditions and other exceptional circumstances.

- Confusion over which part of the program is responsible for releasing the resource.

Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.

Example 1: The following method never closes the file handle it opens. The finalize() method for ZipFile eventually calls close(), but there is no guarantee as to how long it will take before the finalize() method will be invoked. In a busy environment, this can result in the JVM using up all of its file handles.


public void printZipContents(String fName)
throws ZipException, IOException, SecurityException, IllegalStateException, NoSuchElementException
{
ZipFile zf = new ZipFile(fName);
Enumeration<ZipEntry> e = zf.entries();

while (e.hasMoreElements()) {
printFileInfo(e.nextElement());
}
}


Example 2: Under normal conditions, the following fix properly closes the file handle after printing out all the zip file entries. But if an exception occurs while iterating through the entries, the zip file handle will not be closed. If this happens often enough, the JVM can still run out of available file handles.


public void printZipContents(String fName)
throws ZipException, IOException, SecurityException, IllegalStateException, NoSuchElementException
{
ZipFile zf = new ZipFile(fName);
Enumeration<ZipEntry> e = zf.entries();

while (e.hasMoreElements()) {
printFileInfo(e.nextElement());
}
}

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 404

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9

[5] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 404