CWE-675¶

Multiple Operations on Resource in Single-Operation Context. [Improper-Adherence-To-Coding-Standards]

Required inputs: IR, StaticSemanticAnalysis

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

Demonstrative Examples

Example 1

The following code shows a simple example of a double free vulnerability.

Example Language:C
    char* ptr = (char*)malloc (SIZE);
    ...
    if (abrt) {
        free(ptr);
    }
    ...
    free(ptr);

Double free vulnerabilities have two common (and sometimes overlapping) causes:

Error conditions and other exceptional circumstances
Confusion over which part of the program is responsible for freeing the memory

Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

Example 2

This code binds a server socket to port 21, allowing the server to listen for traffic on that port.

Example Language:C
    void bind_socket(void) {
        int server_sockfd;
        int server_len;
        struct sockaddr_in server_address;

        /*unlink the socket if already bound to avoid an error when bind() is called*/

        unlink("server_socket");
        server_sockfd = socket(AF_INET, SOCK_STREAM, 0);

        server_address.sin_family = AF_INET;
        server_address.sin_port = 21;
        server_address.sin_addr.s_addr = htonl(INADDR_ANY);
        server_len = sizeof(struct sockaddr_in);

        bind(server_sockfd, (struct sockaddr *) &s1, server_len);
    }

This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server.

Possible Messages

Key	Text	Severity	Disabled
double_free	Dynamic memory released here was already released earlier	None	False
fd_multiple_deallocated	Possible multiple ‘{}’ calls to file descriptor.	None	False
fd_open_reference_lost	Reference to active file descriptor created by ‘{}’ lost.	None	False
possible_double_free	Dynamic memory released here possibly already released earlier	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

allocators¶

allocators

Type: set[bauhaus.analysis.config.QualifiedName]

Default: {'_creat', '_dup', '_dup2', '_open', '_wcreat', '_wopen', 'creat', 'dup', 'dup2', 'dup3', 'open', 'openat', 'openat2'}

Set of functions returning a new file descriptor.

deallocators¶

deallocators : set[bauhaus.analysis.config.QualifiedName] = {'_close', 'close'}

Set of functions closing a file descriptor.

resources¶

resources

Type: set[str]

Default: {'C++ArrayHeapMemory', 'C++HeapMemory', 'CudaAsyncMemory', 'CudaDeviceMemory', 'CudaDriverAsyncMemory', 'CudaHostMemory', 'CudaManagedMemory', 'FileHandle', 'HeapMemory', 'UniquePtrHeapMemory'}

Set of resources to be checked (selection of rules in the Resources group).

test_open_filedescriptor_double_closed¶

test_open_filedescriptor_double_closed : bool = True

Perform search for multiple close calls on an open file destriptor.

test_open_filedescriptor_reference_lost¶

test_open_filedescriptor_reference_lost : bool = False

Perform search for a missing reference of an open file destriptor.

witness_paths¶

witness_paths : bool = True

Whether witness paths should be determined and included in the issue.

Axivion Suite 7.12.0

Navigation