If the program relies on finalize() to release system resources, or there is confusion over which part of the program is responsible for releasing system resources, then there exists a possibility for a potential resource leak. In a busy system, there might be a time gap before the finalize() method is called for an object. An attacker might exploit this vulnerability to induce a Denial of Service attack.
If there is unreleased memory, eventually the Java garbage collector will be called to free memory; however, if the program relies on non-memory resources like file descriptors and database connections, unreleased resources might lead the program to prematurely exhaust it's pool of resources. In addition, if the program uses resources like Lock or Semaphore, waiting for finalize() to release the resources may lead to resource starvation.
Noncompliant Code Example
The worst form of non-compliance is not calling methods to release the resource at all. If files are opened, they must be explicitly closed when their work is done.
public int processFile(String fileName) throws IOException, FileNotFoundException {
FileInputStream stream = new FileInputStream(fileName);
BufferedReader bufRead = new BufferedReader(stream);
String line;
while((line=bufRead.readLine())!=null) {
sendLine(line);
}
return 1;
}
This problem is aggravated in the case of database connections. Traditionally, database servers allow a fixed number of connections, which may be dependant on configuration or licensing issues. Not releasing such connections could lead to rapid exhaustion of available connections.
public void getResults(String sqlQuery) {
try {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
stmt.close();
} catch (SQLException e) { }
}
In the case above, if an error occurs while executing the statement, or while processing the results of the statement, the connection is not closed. The use of a finally block can be used to ensure that close statements are eventually called.
try {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch(SQLException e) { }
finally {
rs.close();
stmt.close();
}
}
However, while being slightly better, this code is also non-compliant. Both rs and stmt might be null.
try {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch(SQLException e) { }
finally {
if(rs != null) {
rs.close();
}
if(stmt != null) {
stmt.close();
}
}
}
Again, while being still better, the code is still non-compliant. This is because rs.close() might itself result in a SQLException, and so stmt.close() will never be called.
Compliant Solution
This compliant solution shows how to ensure that resources have been released.
try {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch(SQLException e) { }
finally {
try {
if(rs != null) {
rs.close();
}
} catch(SQLException e) { }
try {
if(stmt != null) {
stmt.close();
}
} catch(SQLException e){}
}
Risk Assessment
Acquiring non-memory system resources and not releasing them explicitly might lead to resource exhaustion.
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[API 06]] Class Object
http://www.ibm.com/developerworks/java/library/j-jtp03216.html
----