CWE-666: Operation on Resource in Wrong Phase of Lifetime

Description

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

Submission Date :

April 11, 2008, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

A resource's lifecycle includes several phases: initialization, use, and release. For each phase, it is important to follow the specifications outlined for how to operate on the resource and to ensure that the resource is in the expected phase. Otherwise, if a resource is in one phase but the operation is not valid for that phase (i.e., an incorrect phase of the resource's lifetime), then this can produce resultant weaknesses. For example, using a resource before it has been fully initialized could cause corruption or incorrect data to be used.

Example Vulnerable Codes

Example - 1

The following code shows a simple example of a double free vulnerability.


free(ptr);
char* ptr = (char*)malloc (SIZE);...if (abrt) {}...free(ptr);

Double free vulnerabilities have two common (and sometimes overlapping) causes:

Error conditions and other exceptional circumstancesConfusion over which part of the program is responsible for freeing the memory

Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

Related Weaknesses

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 21, 2024 17:41