The program fails to dispose of a managed object that utilizes unmanaged system resources.
The program fails to properly dispose of a managed object that uses unmanaged system resources.
Failure to properly dispose of a managed object that uses unmanaged system resources has at least two common causes:
- Error conditions and other exceptional circumstances.
- Confusion over which part of the program is responsible for releasing the resource.
A small subset of managed .NET objects use unmanaged system resources. .NET's Garbage Collector may not free the original managed objects in a predictable way. As such, the application may run out of available memory as the Garbage Collector is unaware of the memory consumed by the unmanaged resources. Most unmanaged resource leak issues result in general software reliability problems, but if an attacker can intentionally trigger an unmanaged resource leak, the attacker might be able to launch a denial of service attack by depleting the unmanaged resource pool.
Example 1: The following method creates a managed Bitmap Object from an incoming stream incomingStream
. The Bitmap is manipulated and persisted to the outgoing stream outgoingStream
. The Dispose()
method of incomingBitmap
and outgoingBitmap
is never explicitly called.
Normally, one can safely rely upon the Garbage Collector to do this at a safe time for managed objects that do not use unmanaged system resources. The Garbage Collector calls Bitmap.Dispose()
when it sees fit. However, the Bitmap
object utilizes scarce, unmanaged system resources. The Garbage Collector may fail to call Dispose()
before the unmanaged resource pool is depleted.
private void processBitmap(Stream incomingStream, Stream outgoingStream, int thumbnailSize)
{
Bitmap incomingBitmap = (Bitmap)System.Drawing.Image.FromStream(incomingStream);
bool validBitmap = validateBitmap(incomingBitmap);
if (!validBitmap)
throw new ValidationException(incomingBitmap);
Bitmap outgoingBitmap = new Bitmap(incomingBitmap, new Size(thumbnailSize, thumbnailSize));
outgoingBitmap.Save(outgoingStream, ImageFormat.Bmp);
}
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 404
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9
[5] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 404