A program may leak resources when it relies on finalize() to release system resources or when there is confusion over which part of the program is responsible for releasing system resources. In a busy system, the delay before the finalize() method is called for an object provides a window of vulnerability during which an attacker could induce a denial-of-service attack. See the rule MET18-J. Do not use finalizers for additional reasons to avoid the use of finalizers.
The Java garbage collector is called to free unreferenced but as-yet unreleased memory. However, the Java garbage collector cannot free non-memory resources such as file descriptors and database connections. Consequently, programs that fail to release such non-memory resources can prematurely exhaust their pool of such resources. In addition, programs can experience resource starvation while waiting for finalize() to release resources such as Lock or Semaphore objects. This can occur because Java lacks any temporal guarantee of when finalize() methods will execute, other than "sometime before program termination." Finally, output streams may cache object references; such cached objects will not be garbage collected until after the output stream is closed. Consequently, output streams should be closed promptly after use.
Also note that on the Windows platform, attempts to delete open files fail silently. See rule FIO07-J. Do not create temporary files in shared directories for more information.
See also the related locking rule LCK08-J. Ensure actively held locks are released on exceptional conditions.
Resources other than raw memory must be explicitly freed in non-finalizer methods, due to the unsuitability of using finalizers.
Noncompliant Code Example (File Handle)
This noncompliant code example opens a file and uses it, but fails to explicitly close the file handle.
public int processFile(String fileName) throws IOException, FileNotFoundException {
FileInputStream stream = new FileInputStream(fileName);
BufferedReader bufRead = new BufferedReader(new InputStreamReader(stream));
String line;
while ((line = bufRead.readLine()) != null) {
sendLine(line);
}
return 1;
}
Compliant Solution
This compliant solution releases all acquired resources, regardless of any exceptions that might occur. Even though dereferencing bufRead might result in an exception, the FileInputStream object is closed as required (if it was created in the first place).
try {
final FileInputStream stream = new FileInputStream(fileName);
try {
final BufferedReader bufRead = new BufferedReader(new InputStreamReader(stream));
String line;
while ((line = bufRead.readLine()) != null) {
sendLine(line);
}
} finally {
if (stream != null) {
try {
stream.close();
} catch (IOException e) {
// forward to handler
}
}
}
} catch (IOException e) {
// forward to handler
}
Compliant Solution (Java 1.7, try-with-resources)
This compliant solution uses the try-with-resources statement, introduced in Java 1.7, to release all acquired resources, regardless of any exceptions that might occur.
try (FileInputStream stream = new FileInputStream(fileName);
BufferedReader bufRead = new BufferedReader(new InputStreamReader(stream))) {
String line;
while ((line = bufRead.readLine()) != null) {
sendLine(line);
}
} catch (IOException e) {
// forward to handler
}
The try-with-resource construct will send any IOException to the catch clause, where it gets forwarded to an exception handler. This includes exceptions generated during the allocation of resources (that is, the creation of the FileInputStream or BufferedReader. It also includes any IOException thrown during the while loop. Finally, it includes any IOException generated by closing bufRead or stream.
Noncompliant Code Example (SQL Connection)
The problem of resource pool exhaustion is aggravated in the case of database connections. Many database servers allow only a fixed number of connections, depending on configuration and licensing. Consequently, failure to release database connections can result in rapid exhaustion of available connections. This noncompliant code example fails to close the connection when an error occurs during execution of the SQL statement or during processing of the results.
public void getResults(String sqlQuery) {
try {
Connection conn = getConnection();
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
stmt.close();
} catch (SQLException e) { /* forward to handler */ }
}
Noncompliant Code Example
This noncompliant code example attempts to address exhaustion of database connections by adding clean-up code in a finally block. However, either or both of rs and stmt could be null, causing the code in the finally block to throw a NullPointerException.
Statement stmt = null;
ResultSet rs = null
Connection conn = getConnection();
try {
stmt = conn.createStatement();
rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch(SQLException e) {
// forward to handler
} finally {
rs.close();
stmt.close();
}
Noncompliant Code Example
In this noncompliant code example, the call to rs.close() could throw an SQLException; consequently, stmt.close() would never be called. This is a violation of ERR05-J. Do not let checked exceptions escape from a finally block.
Statement stmt = null;
ResultSet rs = null;
Connection conn = getConnection();
try {
stmt = conn.createStatement();
rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch (SQLException e) {
// forward to handler
} finally {
if (rs != null) {
rs.close();
}
if (stmt != null) {
stmt.close();
}
}
Compliant Solution
This compliant solution ensures that resources are released as required.
Statement stmt = null;
ResultSet rs = null;
Connection conn = getConnection();
try {
stmt = conn.createStatement();
rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch (SQLException e) {
// forward to handler
} finally {
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {
// forward to handler
} finally {
if (stmt != null) {
try {
stmt.close();
} catch (SQLException e) {
// forward to handler
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
// forward to handler
}
}
}
}
}
}
Compliant Solution (Java 1.7, try-with-resources)
This compliant solution uses the try-with-resource construct, introduced in Java 1.7, to ensure that resources are released as required.
try (Connection conn = getConnection();
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery)) {
processResults(rs);
} catch (SQLException e) {
// forward to handler
}
The try-with-resource construct will send any SQLException to the catch clause, where it gets forwarded to an exception handler. This includes exceptions generated during the allocation of resources (that is, the creation of the Connection, Statement, or ResultSet. It also includes any SQLException thrown by processResults(). Finally, it includes any SQLException generated by closing rs, stmt, or conn.
Risk Assessment
Failure to explicitly release non-memory system resources when they are no longer needed can result in resource exhaustion.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO06-J |
low |
probable |
medium |
P4 |
L3 |
Automated Detection
Although sound automated detection of this vulnerability is not feasible in the general case, many interesting cases can be soundly detected.
The Coverity Prevent Version 5.0 RESOURCE_LEAK checker can detect instances where there is leak of a socket resource or leak of a stream representing a file or other system resources.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
FIO42-C. Ensure files are properly closed when they are no longer needed |
|||||
FIO42-CPP. Ensure files are properly closed when they are no longer needed |
|||||
|
CWE-404 "Improper Resource Shutdown or Release" |
||||
|
CWE-459 "Incomplete Cleanup" |
||||
|
CWE-770 "Allocation of Resources Without Limits or Throttling" |
||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7ac254f9-93ae-412d-a27b-5a8e9609ef68"><ac:plain-text-body><![CDATA[ |
[[MITRE 2009 |
AA. Bibliography#MITRE 09]] |
[CWE-405 |
http://cwe.mitre.org/data/definitions/405.html] "Asymmetric Resource Consumption (Amplification)" |
]]></ac:plain-text-body></ac:structured-macro> |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="47cb51a2-75fe-4cad-a1a7-ce1dc7ff3036"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
[Class Object |
http://java.sun.com/javase/6/docs/api/java/lang/Object.html] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="08dbefd4-61fd-4169-b876-b722ea7c225e"><ac:plain-text-body><![CDATA[ |
[[Goetz 2006b |
AA. Bibliography#Goetz 06b]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9322b261-9207-478e-9496-7a327583041a"><ac:plain-text-body><![CDATA[ |
[[J2SE 2011 |
AA. Bibliography#J2SE 11]] |
The try-with-resources Statement |
]]></ac:plain-text-body></ac:structured-macro> |
FIO05-J. Do not create multiple buffered wrappers on a single InputStream 12. Input Output (FIO) FIO07-J. Do not create temporary files in shared directories