Operation on Resource in Wrong Phase of Lifetime
Draft Class
Structure: Simple
Description
The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
A resource's lifecycle includes several phases: initialization, use, and release. For each phase, it is important to follow the specifications outlined for how to operate on the resource and to ensure that the resource is in the expected phase. Otherwise, if a resource is in one phase but the operation is not valid for that phase (i.e., an incorrect phase of the resource's lifetime), then this can produce resultant weaknesses. For example, using a resource before it has been fully initialized could cause corruption or incorrect data to be used.
Common Consequences 1
Scope: Other
Impact: Other
Potential Mitigations 1
Phase: Architecture and Design
Follow the resource's lifecycle from creation to release.
Demonstrative Examples 1
ID : DX-149
The following code shows a simple example of a double free vulnerability.Code Example:
Bad
C
cDouble free vulnerabilities have two common (and sometimes overlapping) causes:
- Error conditions and other exceptional circumstances
- Confusion over which part of the program is responsible for freeing the memory
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
Observed Examples 1
CVE-2006-5051Chain: Signal handler contains too much functionality (Signal Handler with Functionality that is not Asynchronous-Safe), introducing a race condition (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) that leads to a double free (Double Free).
Modes of Introduction
Implementation
Related Weaknesses
Taxonomy Mapping
- CERT C Secure Coding
- CERT C Secure Coding