> On Tue, 18 Dec 2012, Martin Sebor wrote:
>> On 12/18/2012 12:30 PM, Steve Grubb wrote:
>>> I was curious if CWE-459 is specific to file descriptors as all the
>>> show, or would this also include something like calling delete on an array
>>> classes when delete shave been called?
>> I believe CWE-762: Mismatched Memory Management Routines
>> is the weakness you're looking for, though it could use
>> another example describing the mismatched forms of
>> operators new and delete.
> ... [show rest of quote]
> Agreed that CWE-762 could use additional examples.
> In this particular case, it seems appropriate to use CWE-762. However, if
> I understand Steve's example correctly, there could be scenarios where the
> destructors are not called but the code continues to run. In this case,
> there might be resources that are not released, which would be a chain
> where CWE-762 is primary and CWE-459 is resultant.
> In Steve's example, he says that glibc aborts the program due to memory
> corruption - so when glibc is running, there might be a chain with a
> different CWE than CWE-459.
>> CWE-459: Incomplete Cleanup is about leaking resources,
>> which may include file descriptors (though I don't see
>> any relevant examples).
> CWE-459 effectively covers file descriptors and any other type of
> resource, but note that CWE-775 (Missing Release of File Descriptor or
> Handle after Effective Lifetime) is a child of CWE-772 (Missing Release of
> Resource after Effective Lifetime), which is similar to CWE-459. But,
> CWE-459 emphasizes temporary resources and its description mentions
> "improper" cleanup (which, by CWE's definition, means cleanup that is
> missing *or* incorrect). So there may be some overlap between CWE-459 and
> CWE-772 that cannot be fully resolved because they focus on different
> aspects of a problem.