1. Home
  2. CWE Database
  3. CWE-772
Base · Medium

CWE-772: Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

CWE-772 · Base Level ·8 CVEs ·3 Mitigations

Description

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Potential Impact

Availability

DoS: Resource Consumption (Other), DoS: Resource Consumption (Memory), DoS: Resource Consumption (CPU)

Demonstrative Examples

The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is called.
Bad
private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}}
The good code example simply adds an explicit call to the Close() function when the system is done using the file. Within a simple example such as this the problem is easy to see and fix. In a real system, the problem may be considerably more obscure.
Good
private void processFile(string fName){BufferReader fil = new BufferReader(new FileReader(fName));String line;while ((line = fil.ReadLine()) != null){processLine(line);}fil.Close();}
The following code attempts to open a new connection to a database, process the results returned by the database, and close the allocated SqlConnection object.
Bad
SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close();
The problem with the above code is that if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries.
This code attempts to open a connection to a database and catches any exceptions that may occur.
Bad
try {Connection con = DriverManager.getConnection(some_connection_string);}catch ( Exception e ) {log( e );}
If an exception occurs after establishing the database connection and before the same connection closes, the pool of database connections may become exhausted. If the number of available connections is exceeded, other users cannot access this resource, effectively denying access to the application.
Under normal conditions the following C# code executes a database query, processes the results returned by the database, and closes the allocated SqlConnection object. But if an exception occurs while executing the SQL or processing the results, the SqlConnection object is not closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries.
Bad
...SqlConnection conn = new SqlConnection(connString);SqlCommand cmd = new SqlCommand(queryString);cmd.Connection = conn;conn.Open();SqlDataReader rdr = cmd.ExecuteReader();HarvestResults(rdr);conn.Connection.Close();...

Mitigations & Prevention

Requirements

Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.

Implementation

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.

OperationArchitecture and Design

Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resour

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2007-0897Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.
CVE-2001-0830Sockets not properly closed when attacker repeatedly connects and disconnects from server.
CVE-1999-1127Does not shut down named pipe connections if malformed data is sent.
CVE-2009-2858Chain: memory leak (CWE-404) leads to resource exhaustion.
CVE-2009-2054Product allows exhaustion of file descriptors when processing a large number of TCP packets.
CVE-2008-2122Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.
CVE-2007-4103Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.
CVE-2002-1372Chain: Return values of file/socket operations are not checked (CWE-252), allowing resultant consumption of file descriptors (CWE-772).

CWE-404: Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

Taxonomy Mappings

  • CERT C Secure Coding: FIO42-C — Close files when they are no longer needed
  • CERT C Secure Coding: MEM31-C — Free dynamically allocated memory when no longer needed
  • OMG ASCSM: ASCSM-CWE-772 —
  • OMG ASCRM: ASCRM-CWE-772 —
  • Software Fault Patterns: SFP14 — Failure to Release Resource

Frequently Asked Questions

What is CWE-772?

CWE-772 (Missing Release of Resource after Effective Lifetime) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

How can CWE-772 be exploited?

Attackers can exploit CWE-772 (Missing Release of Resource after Effective Lifetime) to dos: resource consumption (other), dos: resource consumption (memory), dos: resource consumption (cpu). This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-772?

Key mitigations include: Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perfor

What is the severity of CWE-772?

CWE-772 is classified as a Base-level weakness (Medium abstraction). It has been observed in 8 real-world CVEs.