ivsall2012
Veracode Scan issue
Hi,
I have used AHCategoryView in my application everything works fine with library and i have provided it to the Veracode scan for security measurement of app and it gives some of the issue related to memory deallocation and error handling.
I have provide detail information from the scan report below. Can you please look into this and provide necessary fixes in next release.
Associated Flaws by CWE ID:
Use After Free (CWE ID 416)(1 flaw)
Description This variable reference occurs after its memory allocation has been freed. Using previously freed memory can corrupt valid data such as memory chunk structures or function pointers and may result in the execution of arbitrary code.Ensure that all pointers are set to NULL once the memory they point to has been freed.
Recommendations Ensure that all pointers are set to NULL once the memory they point to has been freed.
Error Handling(6 flaws)
Description Error handling problems occur when an application does not properly handle errors that occur during processing. If a function does not generate the correct return/status codes, or if the product does not handle all possible return/status codes that could be generated by a function, then security issues may result. Similarly, failing to catch an exception thrown by a function can potentially cause the program to crash or to behave in an unexpected manner. This type of problem is most often found in edge conditions that are rarely encountered during normal application use. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger these edge conditions.
Recommendations Never ignore return codes, assuming that a function will always succeed. Check for and handle all possible return codes to ensure that all scenarios are covered, including boundary or edge conditions. Subject the application to extensive testing to discover some of the possible instances of where and how errors or return values are not handled. Use a standard exception handling mechanism to be sure that the application properly handles all types of processing errors. Do not allow the application to throw errors up to the application container, generally the web application server.
Associated Flaws by CWE ID: Unchecked Return Value (CWE ID 252)(6 flaws)
Description Ignoring a method's return value can cause the program to overlook unexpected states and conditions. Effort to Fix: 1 - Trivial implementation error.
