CWE-460 抛出异常的清理不恰当

Improper Cleanup on Thrown Exception

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: Medium

基本描述

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

扩展描述

Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C#', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围	影响	注释
Other	Varies by Context	The code could be left in a bad state.

可能的缓解方案

Implementation

策略:

If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.

示例代码

例

The following example demonstrates the weakness.

bad Java

public class foo {

public static final void main( String args[] ) {

boolean returnValue;
returnValue=doStuff();

}
public static final boolean doStuff( ) {

boolean threadLock;
boolean truthvalue=true;
try {

while(
//check some condition
) {

threadLock=true; //do some stuff to truthvalue
threadLock=false;

}

}
catch (Exception e){

System.err.println("You did something bad");
if (something) return truthvalue;

}
return truthvalue;

}

In this case, you may leave a thread locked accidentally.

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
CLASP			Improper cleanup on thrown exception
The CERT Oracle Secure Coding Standard for Java (2011)	ERR03-J		Restore prior object state on method failure
The CERT Oracle Secure Coding Standard for Java (2011)	ERR05-J		Do not let checked exceptions escape from a finally block
SEI CERT Perl Coding Standard	EXP31-PL	Imprecise	Do not suppress or ignore exceptions

VULHUB ™