What is MEMORY LEAK

A memory leak is any part of an application that consumes memory without eventually releasing it. A condition caused by a program that fails to release the extra memory it allocates.

In programming languages like C/C++, the programmer can dynamically allocate additional memory to hold data and variables that are needed now but will not be used later in the program. The programmer must remember to deallocate those memory areas when they are no longer required. When you failed to deallocate the memory which you have allocated dynamically leads to MEMORY LEAKAGE.

Significance of Memory Leak

 

An application that consumes more memory without releasing any will eventually deplete the server's memory pool. When an application repeatedly fails to return allocated memory that it has obtained for temporary use, it causes a gradual loss of available memory. As a result, the application's available memory is depleted, and the application can no longer function.

So, memory leaks are a serious problem for applications that run continuously (servers), because even a small memory leak can cause the application to crash. Failed to deallocate the memory which is no longer needed can exhaust the amount of available memory, which in turn reduces the performance of the application as well as system.

 

How To Avoid Memory Leak :

 

  1. Every malloc or calloc should have the following free function:

As good practice, write corresponding free function immediately after the malloc or calloc. It avoids the situation in which the developer forgets to write the free function. Using free() function, we can deallocate the allocated memory.

  1. If Memory requirements is lesser, Use arrays for small data processing. Arrays will automatically get deallocated after function’s exit.

  2. Take special care to deallocate in all the exit points of function. Most of the Memory leaks happen when developer later add exit condition while fixing some defect but forgets to deallocate memory in such conditional statements.

  3. If you are allocating many small chunks of memories, create your own memory management system which automatically freed at end out of execution of your functionality.

  4. It is good practice to not directly work on pointers but smart pointers can be used for some C++ programs as memory will be freed if it is not used.

 

 Vulnerable code example ::

 

/* Function with memory leak /

#include <stdlib.h>

void func()

{

        int *ptr = (int *) malloc(sizeof(int));

        ptr = NULL; / Assigned NULL address to ptr /

        free(ptr);        / Freeing the NULL ptr, but WE ARE NOT FREEING THE ALLOCATED MEMORY leads to memory leak /

        return;

}

If free is not called after dynamic memory allocation when memory is no longer needed, will lead to memory leakage. In this case Klocwork reports a Memory Leak vulnerability as below,

Memory leak. Dynamic memory stored in 'ptr' allocated through function 'malloc' at line 5 is lost at line 6

  * sample.c:5: Dynamic memory stored in 'ptr' is allocated by calling function 'malloc'.

  * sample.c:6: Dynamic memory stored in 'ptr' is lost.

 

These kind of issues at complex code also can be detected by Klocwork at the time of development itself which will help developer to write a better code.

 

Fixed code example

 

/ Function without memory leak /

#include <stdlib.h>

void func()

{

        int *ptr = (int *) malloc(sizeof(int));

        free(ptr); / Freeing the ptr /

        ptr = NULL; / Assign the NULL to ptr */

        return;

}

About Klocwork

 

Klocwork is an ISO, IEC certified static source code analysis tool from Perforce and widely adopted by more than 2,200 customers worldwide, allows developers to identify code defects, at developer’s desktop, while they are coding.

Klocwork static application security testing (SAST) for C, C++, Java and C# can identify software security, quality, and reliability issues and it can help organisations to enforce compliance with industry standards.

Klocwork can perform Dataflow Analysis, Syntax Analysis and Symbolic Logic Analysis to analyse the source code for vulnerabilities. Register here for Klocwork Trail, https://meteonic.com/contact-us or send a mail to support@meteonic.com

Click here to get E-Books and Latest Blogs