...
MEM31-C-EX1: Allocated memory does not need to be freed if it is assigned to a pointer with static storage duration whose lifetime is the entire execution of a programincludes program termination. The following code example illustrates a pointer that stores the return value from malloc() in a static variable:
...
Failing to free memory can result in the exhaustion of system memory resources, which can lead to a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM31-C | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported, but no explicit checker | |||||||
| Axivion Bauhaus Suite |
| CertC-MEM31 | Can detect dynamically allocated resources that are not freed | ||||||
| CodeSonar |
| ALLOC.LEAK | Leak | ||||||
| Compass/ROSE |
| RESOURCE_LEAK ALLOC_FREE_MISMATCH | Finds resource leaks from variables that go out of scope while owning a resource | |||||||
| Cppcheck |
| memleak leakReturnValNotUsed leakUnsafeArgAlloc memleakOnRealloc | Doesn't use return value of memory allocation function | ||||||
| Cppcheck Premium |
|
| memleak leakReturnValNotUsed leakUnsafeArgAlloc memleakOnRealloc | Doesn't use return value of memory allocation function | |||||||
| Helix QAC |
| DF2706, DF2707, DF2708 C++3337, C++3338 | |||||||
| Klocwork |
|
| CL.FFM. |
| ASSIGN |
| CL.FFM. |
| COPY |
| CL. |
| SHALLOW. |
| ASSIGN |
| CL.SHALLOW.COPY FMM.MIGHT |
| FMM.MUST | |||||||||
| LDRA tool suite |
| 50 D | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_C-MEM31-a | Ensure resources are freed |
| Parasoft Insure++ |
| Runtime analysis | |||||||||
| PC-lint Plus |
| 429 | Fully supported | ||||||
| Polyspace Bug Finder |
|
| CERT C: Rule MEM31-C | Checks for memory leak (rule fully covered) | ||||||
| PVS-Studio |
| V773 |
| SonarQube C/C++ Plugin |
| S3584 |
| Splint |
|
| TrustInSoft Analyzer |
| malloc | Exhaustively verified. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| ISO/IEC TR 24772:2013 | Memory Leak [XYL] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Failing to close files or free dynamic memory when they are no longer needed [fileclose] |
| Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CWE 2.11 | CWE-401, Improper Release of Memory Before Removing Last Reference ("Memory Leak") | 2017-07-05: CERT: Exact |
| CWE 2.11 | CWE-404 | 2017-07-06: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-459 | 2017-07-06: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-771 | 2017-07-06: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-772 | 2017-07-06: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-404/CWE-459/CWE-771/CWE-772 and FIO42-C/MEM31-C
Intersection( FIO42-C, MEM31-C) = Ø
CWE-404 = CWE-459 = CWE-771 = CWE-772
CWE-404 = Union( FIO42-C, MEM31-C list) where list =
- Failure to free resources besides files or memory chunks, such as mutexes)
Bibliography
...
...