CWE-401 "Memory Leak" => Example 2 => CWE-789 "Uncontrolled Memory Allocation"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE-401 "Memory Leak" => Example 2 => CWE-789 "Uncontrolled Memory Allocation"

Fulvio Baccaglini
Hi,

Currently CWE-401 "Improper Release of Memory Before Removing Last
Reference ('Memory Leak')" description is: "The software does not
sufficiently track and release allocated memory after it has been used,
which slowly consumes remaining memory."

Its Example 2 in C currently is:

~~~~~~~~>
bar connection(){
foo = malloc(1024);
return foo;
}
endConnection(bar foo) {

free(foo);
}
int main() {

while(1) //thread 1
//On a connection
foo=connection(); //thread 2
//When the connection ends
endConnection(foo)
}
<~~~~~~~~

I believe that the problem underlying Example 2 is equivalent to the
problem underlying this self-contained example:

~~~~~~~>
#include <stdio.h>
#include <stdlib.h>

void f (void)
{
  char * s = (char *) malloc (1024);

  int x;
  scanf ("%d", & x);
  if (x == 42)
    f ();

  free (s);
}
<~~~~~~~~

It can be argued that there is no heap memory leak here because malloc
and free are properly paired, and the problem is instead that external
or untrusted sources are being allowed to exhaust resources.

Would therefore Example 2 not be more applicable to CWE-789:
"Uncontrolled Memory Allocation"?

Fulvio


Reply | Threaded
Open this post in threaded view
|

RE: CWE-401 "Memory Leak" => Example 2 => CWE-789 "Uncontrolled Memory Allocation"

Andrew Buttner
Administrator
Fulvio,

Following up on this comment ... Thank you for bringing it to our attention.
We agree that Example #2 is not an example of CWE-401.  We will remove it in
the next release.

We are still trying to determine if it is an example of CWE-789 or CWE-770, or
if some amount of restructuring of that part of the tree is needed.  CWE-789
(Uncontrolled Memory Allocation) is more focused on the size of memory being
allocated, so it is not the best fit for Example #2.  CWE-770 (Allocation of
Resources Without Limits or Throttling) is a likely better fit for this
example. We will continue to look at this and improve this area of the tree in
the next release.

Thanks
Drew



-----Original Message-----
From: Fulvio Baccaglini <[hidden email]>
Sent: Thursday, August 23, 2018 1:46 PM
To: CWE Research Discussion <[hidden email]>
Subject: CWE-401 "Memory Leak" => Example 2 => CWE-789 "Uncontrolled Memory
Allocation"

Hi,

Currently CWE-401 "Improper Release of Memory Before Removing Last Reference
('Memory Leak')" description is: "The software does not sufficiently track and
release allocated memory after it has been used, which slowly consumes
remaining memory."

Its Example 2 in C currently is:

~~~~~~~~>
bar connection(){
foo = malloc(1024);
return foo;
}
endConnection(bar foo) {

free(foo);
}
int main() {

while(1) //thread 1
//On a connection
foo=connection(); //thread 2
//When the connection ends
endConnection(foo)
}
<~~~~~~~~

I believe that the problem underlying Example 2 is equivalent to the problem
underlying this self-contained example:

~~~~~~~>
#include <stdio.h>
#include <stdlib.h>

void f (void)
{
  char * s = (char *) malloc (1024);

  int x;
  scanf ("%d", & x);
  if (x == 42)
    f ();

  free (s);
}
<~~~~~~~~

It can be argued that there is no heap memory leak here because malloc and
free are properly paired, and the problem is instead that external or
untrusted sources are being allowed to exhaust resources.

Would therefore Example 2 not be more applicable to CWE-789:
"Uncontrolled Memory Allocation"?

Fulvio



smime.p7s (6K) Download Attachment