CWE-1341: Multiple Releases of Same Resource or Handle
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.
常见后果
影响范围: Availability Integrity
技术影响: DoS: Crash, Exit, or Restart
潜在缓解措施
阶段: Implementation
描述: Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals.
阶段: Implementation
策略: Refactoring
描述: It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.
阶段: Implementation
策略: Refactoring
描述: When closing a resource, set the resource's associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data.
有效性: Defense in Depth
检测方法
方法: Automated Static Analysis
For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.
方法: Automated Dynamic Analysis
Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.
观察示例
参考: CVE-2019-13351
file descriptor double close can cause the wrong file to be associated with a file descriptor.
参考: CVE-2006-5051
Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).
参考: CVE-2004-0772
Double free resultant from certain error conditions.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |