...
Memory and other resource leaks will eventually cause a program to crash. If an attacker can provoke repeated resource leaks by forcing an exception to be thrown through the submission of suitably crafted data, then the attacker can mount a denial-of-service attack.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ERR57-CPP | Low | Probable | No | HighNo | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| ALLOC.LEAK | Leak | ||||||
| Helix QAC |
| DF4756, DF4757, DF4758 | |||||||
| Klocwork |
| CL.MLK | |||||||
| LDRA tool suite |
| 50 D | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_CPP-ERR57-a | Ensure resources are freed | ||||||
| Polyspace Bug Finder |
| CERT C++: ERR57-CPP | Checks for:
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
| SEI CERT C++ Coding Standard | MEM51-CPP. Properly deallocate dynamically allocated resources |
Bibliography
| [Cline 2009] | Question 17.2, I'm still not convinced: A 4-line code snippet shows that return-codes aren't any worse than exceptions; |
| [ISO/IEC 14882-2014] | Subclause 15.2, "Constructors and Destructors" |
| [Meyers 1996] | Item 9, "Use Destructors to Prevent Resource Leaks" |
| [Stroustrup 2001] | "Exception-Safe Implementation Techniques" |
...