...
This noncompliant code example shows a double-free vulnerability resulting from memory being allocated and freed at differing levels of abstraction. In this example, memory for the list array is allocated in the process_list() function. The array is then passed to the verify_listsize() function that performs error checking on the size of the list. If the size of the list is below a minimum size, the memory allocated to the list is freed and the function returns to the caller. The calling function then frees this same memory again, resulting in a double-free and potentially exploitable vulnerability.
...
The call to free memory in the verify_listsize() function takes place in a subroutine of the process_list() function, at a different level of abstraction from the allocation, resulting in a violation of this recommendation. The memory deallocation also occurs in error handling code, which is frequently not as well tested as "green paths" through the code.
...
To correct this problem, the error handling code in verify_listsize() is modified so that it no longer frees list. This change ensures that list is freed only once, at the same level of abstraction, in the process_list() function.
...