The program does not release or incorrectly releases a resource before it is made available for re-use.the function fails to release a lock it acquires, which might lead to deadlock.
1. Android SQLite Database
The Android activity fails to release the Android database handler in its onPause(), onStop(), or onDestroy() event handlers.An Android activity fails to release the Android database handler in its onPause(), onStop(), or onDestroy() event handlers.
The Android activity maintains an Android SQLite database handler that is not closed in onPause(), onStop(), or onDestroy() callback. The Android OS invokes these callbacks whenever it needs to send the current activity to the background, or when it needs to temporarily destroy the activity when system resources are low. By failing to close the database properly, the activity can potentially exhaust the device of available cursors if the activity is constantly restarted. In addition, depending on the implementation, the Android operating system can also throws DatabaseObjectNotClosedException, which crashes the application if the exception is not caught.
The following code describes an Android activity that caches user data and writes the data to disk when the activity is stopped. Note that does not override the base onPause(), which should be used to release the database object, nor does it properly release it during its shutdown sequence.
public class MyDBHelper extends SQLiteOpenHelper {
...
}
public class UnreleasedDBActivity extends Activity {
private myDBHelper dbHelper;
private SQLiteDatabase db;
@Override
public void onCreate(Bundle state) {
...
db = dbHelper.getWritableDatabase();
...
}
@Override
public void onRestart() {
...
}
@Override
public void onStop() {
db.insert(cached_data); // flush cached data
}
}
Recommendation
If the application uses a SQLite database, it must always override the onPause() method of your activity, as well as at least one of the onStop() and onDestroy() methods. In each of these methods, ensure that you call close() on the database handler or object to conserve system resources. After calling close() on the database, you can continue using Android’s SQLite storage capabilities by reconfiguring and reacquiring the instance in the onResume() callback.
In addition, it is generally a good idea to close the database object whenever it won’t be used for an extended amount of time during your application’s execution. When the application requires the resource again, simply reconfigure and reacquire it as before.
2. Streams
Resource leaks have at least two common causes:
-
Error conditions and other exceptional circumstances.
-
Confusion over which part of the program is responsible for releasing the resource.
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker may be able to launch a denial of service attack by depleting the resource pool.
The following method never closes the file handle it opens. The finalize() method for FileInputStream eventually calls close(), but there is no guarantee as to how long it will take before the finalize() method will be invoked. In a busy environment, this can result in the JVM using up all of its file handles.
private void processFile(String fName) throws FileNotFoundException, IOException {
FileInputStream fis = new FileInputStream(fName);
int sz;
byte[] byteArray = new byte[BLOCK_SIZE];
while ((sz = fis.read(byteArray)) != -1) {
processBytes(byteArray, sz);
}
}
#cybersecurity #bug-bounty #technology #coding #programming
