CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-769: File Descriptor Exhaustion

 
File Descriptor Exhaustion
Category ID: 769 (Category)Status: Incomplete
+ Description

Description Summary

The software can be influenced by an attacker to open more files than are supported by the system.

Extended Description

There are at least three distinct scenarios which can commonly lead to file descriptor exhaustion:

1. Lack of throttling for the number of open file descriptors

2. Losing all references to a file descriptor before reaching the shutdown stage

3. Failure to close file descriptors after processing

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Likelihood of Exploit

Low to Medium

+ Potential Mitigations
PhaseDescription
Implementation
Architecture and Design

If file I/O is being supported by an application for multiple users, balancing the resource allotment across the group may help to prevent exhaustion as well as differentiate malicious activity from an insufficient resource pool.

Implementation

Consider using the getrlimit() function included in the sys/resources library in order to determine how many files are currently allowed to be opened for the process.

(Good Code)
C
#include <sys/resource.h>
...
int return_value;
struct rlimit rlp;
...
return_value = getrlimit(RLIMIT_NOFILE, &rlp);
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base400Uncontrolled Resource Consumption ('Resource Exhaustion')
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant773Missing Reference to Active File Descriptor or Handle
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant774Allocation of File Descriptors or Handles Without Limits or Throttling
Development Concepts (primary)699
ParentOfWeakness VariantWeakness Variant775Missing Release of File Descriptor or Handle after Effective Lifetime
Development Concepts (primary)699
+ References
+ Maintenance Notes

This entry

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-05-08Internal CWE Team
Back to top
Page Last Updated: October 29, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us