CS.RLK

References to an object of type which implements 'IDisposable' interface are lost, but 'Dispose' method is not called.

Vulnerability and risk

Managed classes use the IDisposable interface to allow their consumers to release potentially expensive resources before the garbage collector finalizes the object.

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
  using System;
  using System.IO;
  
  namespace LeakExample
  {
      class Test
      {
          public String Run(String name)
          {
             StreamReader reader = new StreamReader(name);
             String result = reader.ReadToEnd();
             reader.Close();
             return result;
         }
     }
 }

Klocwork produces an issue report on the example. StreamReader class implements IDisposable interface, the implementation of Close method calls Dispose method. An object of 'StreamReader' type is allocated and its reference is assigned to 'reader' variable. If the call to 'ReadToEnd' throws an exception, control is transferred out of method 'Run', variable 'reader' goes out of scope, object referenced by it becomes lost, but related resources are not disposed.

External guidance

• CWE-772: Missing Release of Resource after Effective Lifetime
• CWE-404: Improper Resource Shutdown or Release