CWE Rule 403
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
Since R2026a
Description
A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
Polyspace Implementation
The rule checker checks for these issues:
Privilege drop not verified
Resource leak
Examples
This issue occurs when you relinquish privileges using functions such as
setuid but do not verify that the privileges were actually dropped
before exiting your function.
If you do not verify that privileges were properly dropped after relinquishing them, an attacker may exploit the opportunity to regain elevated access, potentially compromising system security.
Before the end of scope, verify that the privileges that you dropped were actually dropped.
#define _BSD_SOURCE
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>
#include <stdlib.h>
#define fatal_error() abort()
extern int need_more_privileges;
void missingprivilegedropcheck()
{
/* Code intended to run with elevated privileges */
/* Temporarily drop elevated privileges */
if (seteuid(getuid()) != 0) {
/* Handle error */
fatal_error();
}
/* Code intended to run with lower privileges */
if (need_more_privileges) {
/* Restore elevated privileges */
if (seteuid(0) != 0) {
/* Handle error */
fatal_error();
}
/* Code intended to run with elevated privileges */
}
/* ... */
/* Permanently drop elevated privileges */
if (setuid(getuid()) != 0) {
/* Handle error */
fatal_error();
}
/* Code intended to run with lower privileges */
} //NoncompliantIn this example, privileges are elevated and dropped to run code with the intended privilege level. When privileges are dropped, the privilege level before exiting the function body is not verified. A malicious attacker can regain their elevated privileges.
One possible correction is to use setuid to verify that the
privileges were dropped.
#define _BSD_SOURCE
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>
#include <stdlib.h>
#define fatal_error() abort()
extern int need_more_privileges;
void missingprivilegedropcheck()
{
/* Store the privileged ID for later verification */
uid_t privid = geteuid();
/* Code intended to run with elevated privileges */
/* Temporarily drop elevated privileges */
if (seteuid(getuid()) != 0) {
/* Handle error */
fatal_error();
}
/* Code intended to run with lower privileges */
if (need_more_privileges) {
/* Restore elevated Privileges */
if (seteuid(privid) != 0) {
/* Handle error */
fatal_error();
}
/* Code intended to run with elevated privileges */
}
/* ... */
/* Restore privileges if needed */
if (geteuid() != privid) {
if (seteuid(privid) != 0) {
/* Handle error */
fatal_error();
}
}
/* Permanently drop privileges */
if (setuid(getuid()) != 0) {
/* Handle error */
fatal_error();
}
if (setuid(0) != -1) {
/* Privileges can be restored, which indicates they were not properly dropped */
/* Handle error */
fatal_error();
}
/* Code intended to run with lower privileges; */
}This issue occurs when you open a file stream by using a FILE
pointer but do not close it before:
The end of the pointer's scope.
Assigning the pointer to another stream.
If you do not release file handles explicitly as soon as possible, a failure can occur due to exhaustion of resources.
Close a FILE pointer before the end of its scope, or before you
assign the pointer to another stream.
#include <stdio.h>
void func1( void ) {
FILE *fp1;
fp1 = fopen ( "data1.txt", "w" );
fprintf ( fp1, "*" );
fp1 = fopen ( "data2.txt", "w" ); //Noncompliant: previous stream still open
fprintf ( fp1, "!" );
fclose ( fp1 );
}In this example, the file pointer fp1 is pointing to a file
data1.txt. Before fp1 is explicitly dissociated
from the file stream of data1.txt, it is used to access another file
data2.txt. This is noncompliant because you are overwriting
fp1 without closing the previous stream.
FILE PointerOne possible correction is to explicitly dissociate fp1 from the
file stream of data1.txt.
#include <stdio.h>
void func1( void ) {
FILE *fp1;
fp1 = fopen ( "data1.txt", "w" );
fprintf ( fp1, "*" );
fclose(fp1);
fp1 = fopen ( "data2.txt", "w" );
fprintf ( fp1, "!" );
fclose ( fp1 );
}
Check Information
| Category: Resource Management Errors |
PQL Name:
std.cwe_native.R403 |
Version History
Introduced in R2026a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Sélectionner un site web
Choisissez un site web pour accéder au contenu traduit dans votre langue (lorsqu'il est disponible) et voir les événements et les offres locales. D’après votre position, nous vous recommandons de sélectionner la région suivante : .
Vous pouvez également sélectionner un site web dans la liste suivante :
Comment optimiser les performances du site
Pour optimiser les performances du site, sélectionnez la région Chine (en chinois ou en anglais). Les sites de MathWorks pour les autres pays ne sont pas optimisés pour les visites provenant de votre région.
Amériques
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)