What is MEMORY LEAK:

July 11, 2022 / By Sivanesh.

A memory leak is any part of an application that consumes memory without eventually releasing it. A condition caused by a program that fails to release the extra memory it allocates.

In programming languages like C/C++, the programmer can dynamically allocate additional memory to hold data and variables that are needed now but will not be used later in the program. The programmer must remember to deallocate those memory areas when they are no longer required. When you failed to deallocate the memory which you have allocated dynamically leads to MEMORY LEAKAGE.

Significance of Memory Leak

An application that consumes more memory without releasing any will eventually deplete the server’s memory pool. When an application repeatedly fails to return allocated memory that it has obtained for temporary use, it causes a gradual loss of available memory. As a result, the application’s available memory is depleted, and the application can no longer function.

So, memory leaks are a serious problem for applications that run continuously (servers), because even a small memory leak can cause the application to crash. Failed to deallocate the memory which is no longer needed can exhaust the amount of available memory, which in turn reduces the performance of the application as well as system.

How To Avoid Memory Leak :

  • Every malloc or calloc should have the following free function:

>> It’s a good idea to include a free function after each malloc (or calloc) function. Assume you need to create an array of characters in an application to store some dynamic data. Because we know that to create a dynamic array in C programming, we use the memory management function (malloc or calloc).

>> It is a good practise to write the free function immediately after the malloc or calloc. It avoids the situation in which the developer forgets to write the free function. Using free() function, we can deallocate the allocated memory.

                                SYNTAX ::

                              void free(void *ptr);

   Frees the allocated memory which has been created by malloc(), calloc() or realloc() functions.

   Freeing an already freed block or any other block, would lead to UNDEFINED BEHAVIOUR

   Freeing NULL pointer has no effect.

Vulnerable code example ::

/* Function with memory leak */

#include <stdlib.h>

void func()

{

int *ptr = (int *) malloc(sizeof(int));

ptr = NULL; /* Assigned NULL address to ptr */

free(ptr); /* Freeing the NULL ptr, but WE ARE NOT FREEING THE ALLOCATED MEMORY  leads to memory leak */

                return;

}

If free is not called after dynamic memory allocation when memory is no longer needed, will lead to memory leakage. In this case Klocwork reports a Memory Leak vulnerability as below,

Memory leak. Dynamic memory stored in ‘ptr’ allocated through function ‘malloc’ at line 5 is lost at line 6

  * sample.c:5: Dynamic memory stored in ‘ptr’ is allocated by calling function ‘malloc’.

  * sample.c:6: Dynamic memory stored in ‘ptr’ is lost.

These kind of issues at complex code also can be detected by Klocwork at the time of development itself which will help developer to write a better code.

Fixed code example

/* Function without memory leak */

#include <stdlib.h>

void func()

{

int *ptr = (int *) malloc(sizeof(int));

free(ptr); /* Freeing the ptr */

ptr = NULL; /* Assign the NULL to ptr */

return;

}

About Klocwork

Klocwork is an ISO, IEC certified static source code analysis tool from Perforce and widely adopted by more than 2,200 customers worldwide, allows developers to identify code defects, at developer’s desktop, while they are coding.

Klocwork static application security testing (SAST) for C, C++, Java and C# can identify software security, quality, and reliability issues and it can help organisations to enforce compliance with industry standards.

Klocwork can perform Dataflow Analysis, Syntax Analysis and Symbolic Logic Analysis to analyse the source code for vulnerabilities. Register here for Klocwork Trail, or send a mail to siva@meteonic.com