[metadata]
id = "FIO22-C"
type = "recommendation"
category = "FIO"
number = 22
title = "Close files before spawning processes"
description = """
StandardFILEobjects and their underlying representation (file descriptors on
POSIX platforms or handles elsewhere) are a finite resource that must be
carefully managed. The number of files that animplementationguarantees may be
open simultaneously is bounded by theFOPEN_MAXmacro defined in<stdio.h>. The
value of the macro is guaranteed to be at least 8. Consequently, portable
programs must either avoid keeping more thanFOPEN_MAXfiles at the same time or
be prepared for functions such asfopen()to fail due to resource exhaustion.
Failing to close files when they are no longer needed may allow attackers to
exhaust, and possibly manipulate, system resources. This phenomenon is sometimes
calledfile descriptor leakage, although file pointers may also be used as an
attack vector. In addition, keeping files open longer than necessary increases
the risk that data written into in-memory file buffers will not be flushed in
the event ofabnormal program termination. To prevent file descriptor leaks and
to guarantee that any buffered data will be flushed into permanent storage,
files must be closed when they are no longer needed. The behavior of a program
isundefinedwhen it uses the value of a pointer to aFILEobject after the
associated file is closed (seeundefined behavior 153.) Programs that close the
standard streams (especiallystdoutbut alsostderrandstdin) must be careful not to
use the stream objects in subsequent function calls, particularly those that
implicitly operate on such objects (such asprintf(),perror(), andgetc()).
"""
severity = "Medium"
likelihood = "Unlikely"
priority = "P2"
level = "L3"
cert_version = "2016 Edition (Wiki)"
last_modified = "May 20, 2025"
[rules.cert_c.FIO22-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/FIO22-C.+Close+files+before+spawning+processes"
cwe = ["CWE-403", "CWE-404", "CWE-770"]