Applying a lock over a call to a method performing network transactions can be problematic. Depending on the speed and reliability of the connection, the synchronization could lock up the program, producing temporary or permanent deadlock.
Noncompliant Code Example
This noncompliant code example involves the method send_page which sends a Page object containing information being passed between a client and server. send_packet is synchronized to protect access to the array page_buff.
...
Calling writeObject within the synchronized send_page could lead to deadlock in the event that the connection becomes slow or acknowledgments of received data are delayed or lost.
Compliant Solution
A solution would be to separate actions into steps:
...
| Code Block | ||
|---|---|---|
| ||
public final boolean SUCCESS = true;
public final boolean FAILURE = false;
public boolean send_reply(Socket socket, String page_name){
Page target_page = get_page(page_name);
if(target_page == null)
return FAILURE;
return send_page(Socket socket, target_page);
}
private synchronized Page get_page(String page_name){
Page target_page = null;
for(Page p : page_buff){
if(p.getName().equals(page_name))
target_page = p;
}
return target_page;
}
public boolean send_page(Socket socket, Page page){
try{
// Get the output stream to write the Page to
ObjectOutputStream outStream = new ObjectOutputStream(socket.getOutputStream());
// Send the Page to the client
out.writeObject(page);
out.flush();
return SUCCESS;
}catch(IOException io){
// handle exception
return FAILURE;
}
}
|
Risk Assessment
Application of synchronization or locks to methods that perform transactions over a network can lead to temporary or permanent deadlocks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON37-J | low | unlikely | high | P1 | L3 |