CompTIA
CAS-002 · Question #820
CAS-002 Question #820: Real Exam Question with Answer & Explanation
The correct answer is A: Static code analysis. The code allocates heap memory with malloc() but never calls free() before exiting, a memory leak that is detectable only by examining the source code directly or with automated source analysis tools.
Question
The following has been discovered in an internally developed application: Error - Memory allocated but not freed: char *myBuffer = malloc(BUFFER_SIZE); if (myBuffer != NULL) { *myBuffer = STRING_WELCOME_MESSAGE; printf("Welcome to: %s\n", myBuffer); } exit(0); Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO).
Options
- AStatic code analysis
- BMemory dumping
- CManual code review
- DApplication sandboxing
- EPenetration testing
- FBlack box testing
Explanation
The code allocates heap memory with malloc() but never calls free() before exiting, a memory leak that is detectable only by examining the source code directly or with automated source analysis tools.
Common mistakes.
- B. Memory dumping captures a runtime snapshot of memory contents but does not expose source-level allocation patterns or indicate which code path failed to release the buffer.
- D. Application sandboxing isolates a process for behavioral containment and threat analysis but does not perform source code inspection and would not surface the absent free() call.
- E. Penetration testing attempts to exploit known vulnerability classes from an attacker perspective and is not designed to audit internal memory management correctness in application source code.
- F. Black box testing evaluates application behavior through inputs and outputs without source access, making it unable to detect or locate the specific missing deallocation statement.
Concept tested. Memory leak detection via static and manual source analysis
Community Discussion
No community discussion yet for this question.