Suggestion of Repositioning CWE #244

We suggest that CWE #244, Failure to Clear Heap Memory Before Release, also be a child of CWE #226, Sensitive Information Uncleared Before Release.  #244 is just the specific case of (mis)using realloc() for sensitive information.

They are both children of CWE #633, Weaknesses that Affect Memory, but don't have any other connection in the CWE that we can see.

For that matter we suggest #244 NOT be a child of #404, Improper Resource Shutdown or Release.  #404 is about freeing what you allocate, unlocking what you lock, etc. - it can lead to memory leak or resource leak.  #244 talks about sensitive information being exposed because it is not erased from a resource before being released.

For your convenience, here are the URLs and descriptions

    http://cwe.mitre.org/data/definitions/244.html

      Using realloc() to resize buffers that store sensitive

      information can leave the sensitive information exposed to

      attack, because it is not removed from memory.

    http://cwe.mitre.org/data/definitions/226.html

      The software does not fully clear previously used information in

      a data structure, file, or other resource, before making that

      resource available to a party in another control sphere.

    http://cwe.mitre.org/data/definitions/404.html

      The program fails to release - or incorrectly releases - a

      system resource before it is made available for re-use.

Michael Koo

on Behalf of SAMATE Team