Skip to content

Safe Handle

"SafeHandle.DangerousGetHandle" should not be called

What does this mean ?

You can use this method to retrieve the actual handle value from an instance of the SafeHandle derived class. This method is needed for backwards compatibility because many properties in the .NET Framework return IntPtr handle types. IntPtr handle types are platform-specific types used to represent a pointer or a handle. Not surprisingly, the SafeHandle.DangerousGetHandle method is dangerous. That's because it may not return a valid handle.

What can happen ?

Using it can lead to leaks and vulnerabilities. While it is possible to use the method successfully, it's extremely difficult to do correctly, so the method should simply be avoided altogether. Using the DangerousGetHandle method can pose security risks because, if the handle has been marked as invalid with SetHandleAsInvalid, DangerousGetHandle still returns the original, potentially stale handle value. The returned handle can also be recycled at any point. At best, this means the handle might suddenly stop working. At worst, if the handle or the resource that the handle represents is exposed to untrusted code, this can lead to a recycling security attack on the reused or returned handle. For example, an untrusted caller can query data on the handle just returned and receive information for an entirely unrelated resource.

Recommendation

SafeHandle.DangerousGetHandle method should not be used in the code.

Sample Code

Vulnerable :

static void Main(string[] args)
{
    System.Reflection.FieldInfo fieldInfo = ...;
    SafeHandle handle = (SafeHandle)fieldInfo.GetValue(rKey);
    IntPtr dangerousHandle = handle.DangerousGetHandle();  // Noncompliant
}

References