Skip to content

Fix Fortify High finding for src/libcode/vx_data2d_nccf/nccf_file.cc : 346 #1795

New issue
New issue
Closed
#1802
Closed
Fix Fortify High finding for src/libcode/vx_data2d_nccf/nccf_file.cc : 346#1795
#1802
Assignees
hsoh-u
Labels
MET: Library Codereporting: DTC AF METplusAir Force METplus Projectrequestor: METplus TeamMETplus Development Teamtype: taskAn actionable item of work
Milestone
MET 10.1.0
@JohnHalleyGotway

Description

@JohnHalleyGotway
JohnHalleyGotway
opened on May 18, 2021

Describe the Task

The FOD scan of MET version 10.0.0 produced 1 Critical and 1 High finding. This task is to address that High finding described below:
Fortify_Issue_Summary_met-10.0.0.pdf

src/libcode/vx_data2d_nccf/nccf_file.cc : 346

https://fed.fortifygov.com/Releases/14151/Issues?t=-5102&g=1000005

Summary
The function open() in nccf_file.cc allocates memory on line 346 and fails to free it.Memory is allocated but never freed.

Explanation
Memory leaks have two common and sometimes overlapping causes:

  • Error conditions and other exceptional circumstances.

  • Confusion over which part of the program is responsible for freeing the memory.

In this case the memory allocated in nccf_file.cc at line 346 is not always freed or returned by the function.

Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker may be able to launch a denial of service attack (by crashing the program) or take advantage of other unexpected program behavior resulting from a low memory condition [1].

  //FIXME: Commented out with NetcDf4 enabling
  //NcError err(NcError::silent_nonfatal);

  // Open the file

  _ncFile = open_ncfile(filepath);

  if (IS_INVALID_NC_P(_ncFile))
  {
    close();
    return false;
  }

  // Pull out the dimensions
  _numDims = get_dim_count(_ncFile);
  _dims = new NcDim*[_numDims];

Time Estimate

Estimate the amount of work required here.
Issues should represent approximately 1 to 3 days of work.

Sub-Issues

Consider breaking the task down into sub-issues.

  • Add a checkbox for each sub-issue here.

Relevant Deadlines

List relevant project deadlines here or state NONE.

Funding Source

Define the source of funding and account keys here or state NONE.

Define the Metadata

Assignee

  • Select engineer(s) or no engineer required
  • Select scientist(s) or no scientist required

Labels

  • Select component(s)
  • Select priority
  • Select requestor(s)

Projects and Milestone

  • Review projects and select relevant Repository and Organization ones or add "alert:NEED PROJECT ASSIGNMENT" label
  • Select milestone to next major version milestone or "Future Versions"

Define Related Issue(s)

Consider the impact to the other METplus components.

Task Checklist

See the METplus Workflow for details.

  • Complete the issue definition above, including the Time Estimate and Funding Source.
  • Fork this repository or create a branch of develop.
    Branch name: feature_<Issue Number>_<Description>
  • Complete the development and test your changes.
  • Add/update log messages for easier debugging.
  • Add/update unit tests.
  • Add/update documentation.
  • Push local changes to GitHub.
  • Submit a pull request to merge into develop.
    Pull request: feature <Issue Number> <Description>
  • Define the pull request metadata, as permissions allow.
    Select: Reviewer(s), Project(s), Milestone, and Linked issues
  • Iterate until the reviewer(s) accept and merge your changes.
  • Delete your fork or branch.
  • Close this issue.

Metadata

Metadata

Assignees

Labels

MET: Library Codereporting: DTC AF METplusAir Force METplus Projectrequestor: METplus TeamMETplus Development Teamtype: taskAn actionable item of work

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions