RH.LEAK
Resource leak
The RH.LEAK checker finds instances in which all descriptors related to a previously acquired, but unreleased, resource are lost.
Vulnerability and risk
There are situations in which resources are limited, and if a resource isn't properly released, it will be unavailable at the next access attempt.
Vulnerable code example
Copy
#include <stdio.h>
int foo (const char *name) {
FILE *f = fopen(name, "r");
//...//
if (some_error) return 1;
//...//
fclose(f);
return 0;
}Klocwork flags the code at line 5, indicating that a resource may be lost.
Security training
Application security training materials provided by Secure Code Warrior.
- CERT FIO42-C: Close files when they are no longer needed
- CERT MEM00-C: Allocate and free memory in the same module, at the same level of abstraction
- CERT MEM12-C: Consider using a goto chain when leaving a function on error when using and releasing resources
- CWE-403: Exposure of File Descriptor to Unintended Control Sphere
- CWE-404: Improper Resource shutdown or release
- CWE-772: Missing Release of Resource after Effective Lifetime
- Sensitive Data Exposure Training Video - Test your skills with a training example
External guidance
- CERT ERR57-CPP: Do not leak resources when handling exceptions
- CERT FIO22-C: Close files before spawning processes
- CERT FIO42-C: Close files when they are no longer needed
- CERT FIO51-CPP: Close files when they are no longer needed
- CERT MEM00-C: Allocate and free memory in the same module, at the same level of abstraction
- CERT MEM12-C: Consider using a goto chain when leaving a function on error when using and releasing resources
- CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
- CWE-404: Improper Resource Shutdown or Release
- CWE-772: Missing Release of Resource after Effective Lifetime
