Unreleased Resource: Streams

Question

Hi freinds i am getting a warning in the fortify report for the following code:

 if (null != serverSocket) {

     OutputStream socketOutPutStream = serverSocket
       .getOutputStream();
     if (null != socketOutPutStream) {

      oos = new ObjectOutputStream(socketOutPutStream);
      if (null != oos) {
       int c;
       log.info("i am in Step 3 ooss " + oos);
       while ((c = mergedIS.read()) != -1) {
        oos.writeByte(c);
       }
      }
      log.info("i am in Step 4 ");

     }

    }

in the catch block i have mentioned :

catch (UnknownHostException e) {
    //catch exception Vibhas added 
    log.info("UnknownHostException occured");

   } catch (IOException e) {
    //catch exception Vibhas added
    log.info("IOException occured");

   } catch (Exception e) {
    //catch exception
    //log.info("error occured in copyFile in utils-->"+e.getMessage()+"file name is-->"+destiFileName);
   }finally{

    if (null != oos){

     oos.flush();
     oos.close();

      }
      catch (Exception e) {
     //catch exception
      }

    }

Warning which i am getting in the fortify report is:

Abstract: The function copyFile() in ODCUtil.java sometimes fails to release a system resource
allocated by getOutputStream() on line 61.
Sink: ODCUtil.java:64 oos = new ObjectOutputStream(socketOutPutStream)()
62 if (null != socketOutPutStream) {
63
64 oos = new ObjectOutputStream(socketOutPutStream);
65 if (null != oos) {
66 int c;

Complete Code:

public boolean copyFile(InputStream is, String destiFileName) {
    boolean flag = false;
    {
        InputStream mergedIS = null;
        ObjectOutputStream oos = null;
        ObjectInputStream ois = null;
        ByteArrayInputStream str = null;
        try {

            //Step 1 : first get the input stream of file content and file name
            // then merge into one input stream
            log.info("i am in Step 1 ");
            log.info("destiFileName got-->" + destiFileName);
            log.info("is  got in coptFile function -->" + is);
            destiFileName = "@" + destiFileName + "@";
            log.info("destiFileName sending to server-->" + destiFileName);
            str = new ByteArrayInputStream(destiFileName.getBytes());
            log.info("The ByteArrayInputStream we got is  "
                    + str.toString());
            mergedIS = new SequenceInputStream(str, is);

            //Step 2 : Make a connection to server ie DB server
            log.info("i am in Step 2 ");
            String serverIP = "172.17.119.67";
            int serverPort = 1522;
            Socket serverSocket = new Socket(serverIP, serverPort);

            //Step 3 : We have to write the merged inputstream to outputstream of server, ie socket of server
            log.info("i am in Step 3 ");

            //added by vibhas to resolve Unreleased resource

            if (null != serverSocket) {

                OutputStream socketOutPutStream = serverSocket
                        .getOutputStream();
                if (null != socketOutPutStream) {

                    oos = new ObjectOutputStream(socketOutPutStream);
                    if (null != oos) {
                        int c;
                        log.info("i am in Step 3 ooss " + oos);
                        while ((c = mergedIS.read()) != -1) {
                            oos.writeByte(c);
                            socketOutPutStream.close();
                        }
                    }
                    log.info("i am in Step 4 ");

                }

            }

            //Step 4 : We have to get an acknowledgment from server that , server has copied the file properly
            //this is the same .

            if (true) {
                log.info("i am in Step 4 11");
                flag = true;
            }
        } catch (UnknownHostException e) {
            //catch exception Vibhas added 
            log.info("UnknownHostException occured");

        } catch (IOException e) {
            //catch exception Vibhas added
            log.info("IOException occured");

        } catch (Exception e) {
            //catch exception
            //log.info("error occured in copyFile in utils-->"+e.getMessage()+"file name is-->"+destiFileName);
        } finally {
            try {
                if (null != str) {
                    str.close();
                }
                if (null != ois) {
                    ois.close();
                }
                if (null != mergedIS) {
                    mergedIS.close();
                }
                if (null != oos) {
                    oos.flush();
                    oos.close();
                }
            } catch (Exception e) {
                //catch exception
            }
        }
    }
    log.info("finally returned flag-->" + flag);
    return flag;
}

Answer 1

Well, it's probably too late for you to care, but I have an idea. In the finally block, you call flush() before you call close(). But flush() can throw an IOException!

Answer 2

Not a nice try/catch structure. For one thing, ask yourself: What would happen if str.close(); (at the beginning of your finally block) throws an exception?

Better see here: Java io ugly try-finally block

BTW: this is ugly; new will never return null.

  oos = new ObjectOutputStream(socketOutPutStream);
  if (null != oos) {

BTW2: Are you sure you need an ObjectOutputStream? many people use that to write plain bytes, but that's not the idea (it's for serializing objects), and the original OutputStream would be enough for that.

Answer 3

I don't know what is fortify report, but where are you closing socketOutPutStream? Does it get closed as a side-effect of closing oos? Even so, there is a possibility that socketOutPutStream is not null and requires closing but oos is null.