RH.LEAK

Resource leak

The RH.LEAK checker finds instances in which all descriptors related to a previously acquired, but unreleased, resource are lost.

Vulnerability and risk

There are situations in which resources are limited, and if a resource isn't properly released, it will be unavailable at the next access attempt.

Vulnerable code example

Copy

1
2
3
4
5
6
7
8
9
  #include <stdio.h>
   int foo (const char *name) {
      FILE *f = fopen(name, "r");
       //...//
      if (some_error) return 1;
       //...//
      fclose(f);
      return 0;
  }

Klocwork flags the code at line 5, indicating that a resource may be lost.

Security training

Application security training materials provided by Secure Code Warrior.

CERT FIO42-C: Close files when they are no longer needed
CERT MEM00-C: Allocate and free memory in the same module, at the same level of abstraction
CERT MEM12-C: Consider using a goto chain when leaving a function on error when using and releasing resources
CWE-403: Exposure of File Descriptor to Unintended Control Sphere
CWE-404: Improper Resource shutdown or release
CWE-772: Missing Release of Resource after Effective Lifetime
Sensitive Data Exposure Training Video - Test your skills with a training example

External guidance

CERT FIO42-C: Close files when they are no longer needed
CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-404: Improper Resource Shutdown or Release
CWE-772: Missing Release of Resource after Effective Lifetime