SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 138

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 139

changes.mady.by.user Svyatoslav Razmyslov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The consequences of this error depend on the implementation, but they range from nothing to arbitrary code execution if that memory is reused by malloc()

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM34-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

invalid-free

Fully checked
Clang
Include Page
Clang_V
Clang_V
clang-analyzer-unix.MallocChecked by clang-tidy; can detect some instances of this rule, but does not detect all
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.FNH

Free non-heap variable

Compass/ROSE
  


Can detect some violations of this rule

Coverity

Include Page
Coverity_V
Coverity_V

BAD_FREE

Identifies calls to free() where the argument is a pointer to a function or an array. It also detects the cases where
free() is used on an address-of expression, which can never be heap allocated. Coverity Prevent cannot discover all
violations of this rule, so further verification is necessary

Klocwork
Include Page
Klocwork_V
Klocwork_V

FNH.MIGHT
FNH.MUST
FUM.GEN.MIGHT
FUM.GEN.MUST

 

LDRA tool suite
Include Page
LDRA_V
LDRA_V

407 S, 483 S, 644 S, 645 S, 125 D

Partially implemented
Parasoft C/C++test
Include Page
c:
Parasoft_V
c:
Parasoft_V
BD-RES-INVFREE
 

Parasoft Insure++
  


Detect at runtime
Polyspace Bug FinderR2016aInvalid free of pointer

Pointer deallocation without a corresponding dynamic allocation

 
PRQA QA-C9.1  1769
 

PVS-Studio6.22V585, V726General analysis rule set

Related Vulnerabilities

CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE(), which is a Samba-specific memory deallocation macro that wraps the talloc_free() function. The implementation of  talloc_free() would access the uninitialized pointer, resulting in a remote exploit.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardMEM31-C. Free dynamically allocated memory when no longer neededPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CMEM51-CPP. Properly deallocate dynamically allocated resourcesPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Reallocating or freeing memory that was not dynamically allocated [xfree]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-590, Free of Memory Not on the Heap2017-07-10: CERT: Exact

Bibliography

[ISO/IEC 9899:2011]Subclause J.2, "Undefined Behavior"
[Seacord 2013b]Chapter 4, "Dynamic Memory Management"

...


...