SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 176

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 177

changes.mady.by.user Svyatoslav Razmyslov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc() function in a manner that results in double-free vulnerabilities. (See MEM04-C. Beware of zero-length allocations.)

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM30-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
 

Supported, but no explicit checker
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.UAF

Use after free
Compass/ROSE

 

 

 




Coverity

Include Page
Coverity_V
Coverity_V

USE_AFTER_FREE

Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer

Klocwork
Include Page
Klocwork_V
Klocwork_V

UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST

 


LDRA tool suite
Include Page
LDRA_V
LDRA_V

51 D, 484 S, 112 D

Partially implemented

Parasoft C/C++test
Include Page
c:
Parasoft_V
c:
Parasoft_V
BD-RES-FREE
 

Parasoft Insure++
 
 


Detects accessing freed memory at runtime
Polyspace Bug FinderR2016a

Deallocation of previously deallocated pointer, Use of previously freed pointer

Memory freed more than once without allocation

Memory accessed after deallocation

Splint
Include Page
Splint_V
Splint_V

 

 



PRQA QA-C9.1 1769, 1770 
  PRQA

PRQA QA-C++4.2 3339, 4303, 4304 
 

PVS-Studio6.22V586, V774General analysis rule set

Related Vulnerabilities

VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth()

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardMEM01-C. Store a new value in pointers immediately after free()Prior to 2018-01-12: CERT: Unspecified Relationship
CERT CMEM50-CPP. Do not access freed memoryPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Dangling References to Stack Frames [DCM]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Dangling Reference to Heap [XYK]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Accessing freed memory [accfree]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Freeing memory multiple times [dblfree]Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 18.6 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-416, Use After Free2017-07-07: CERT: Exact
CWE 2.11CWE-6722017-07-07: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

...

  • Dereference of a pointer after freeing it (besides passing it to free() a second time)


Bibliography

[ISO/IEC 9899:2011]7.22.3, "Memory Management Functions"
[Kernighan 1988]Section 7.8.5, "Storage Management"
[OWASP Freed Memory]
 

[MIT 2005]
 

[Seacord 2013b]Chapter 4, "Dynamic Memory Management"
[Viega 2005]Section 5.2.19, "Using Freed Memory"
[VU#623332]
 

[xorl 2009]CVE-2009-1364: LibWMF Pointer Use after free()

...


...