Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: for some reason i prefer "because" to "since" when not dealing with time

Wiki Markup
According \[[ISO/IEC 9899-1999| AA. C References#ISO/IEC 9899-1999]\], the behavior of a program that uses the value of a pointer that refers to space deallocated by a call to the {{free()}} or {{realloc()}} function is [undefined | BB. Definitions#undefined behavior] (see [undefined behavior 168 | CC. Undefined Behavior#ub_168] of Annex J).

...

Wiki Markup
This example from Kernighan and Ritchie \[[Kernighan 88|AA. C References#Kernighan 88]\] shows both the incorrect and correct techniques for deleting items from a linked list. The incorrect solution, clearly marked as wrong in the book, is bad because {{p}} is freed before the {{p->next}} is executed, so {{p->next}} reads memory that has already been freed.

...

Wiki Markup
In this noncompliant example ([CVE-2009-1364|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1364]) from {{libwmf}} version 0.2.8.4, the return value of {{gdRealloc}} (a simple wrapper around {{realloc}} which reallocates space pointed to by {{im->clip->list}}) is set to {{more}}. However, the value of {{im->clip->list}} is used directly afterwards in the code, and [ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999] specifies that if {{realloc}} moves the area pointed to, then the original is freed. An attacker can then execute arbitrary code by forcing a reallocation (with a sufficient {{im->clip->count}}) and accessing freed memory \[[xorl 2009|http://xorl.wordpress.com/2009/05/05/cve-2009-1364-libwmf-pointer-use-after-free/]\].

...

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.3.2, "The {{free}} function"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "DCM Dangling references to stack frames" and "XYK Dangling Reference to Heap"
\[[Kernighan 88|AA. C References#Kernighan 88]\] Section 7.8.5, "Storage Management"
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 17.6
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 416|http://cwe.mitre.org/data/definitions/416.html], "Use After Free"
\[[OWASP Freed Memory|AA. C References#OWASP Freed Memory]\]
\[[Seacord 05a|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.19, "Using freed memory"
\[[xorl 2009|AA. C References#xorl 2009]\] ["CVE-2009-1364: LibWMF Pointer Use after free()"|http://xorl.wordpress.com/2009/05/05/cve-2009-1364-libwmf-pointer-use-after-free/]

...