SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 88

changes.mady.by.user Pranjal Jumde

Saved on

compared with

New Version 89

changes.mady.by.user Pranjal Jumde

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated for consistency with TS 17961

As noted in undefined behavior 179 of Annex J of the C standard [ISO/IEC 9899:2011], the behavior of a program is undefined when

the pointer argument to the free or realloc function does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call to free or realloc.

Freeing memory that is not allocated dynamically can lead to serious errors similar to those discussed in MEM31-C. Free dynamically allocated memory exactly once. The specific consequences of this error depend on the implementation, but they range from nothing to abnormal program termination. Regardless of the implementation, avoid calling free() on anything other than a pointer returned by a dynamic-memory allocation function, such as malloc(), calloc(), realloc(), or aligned_alloc.

...

Code Block
bgColor#ccccff
langc
enum { MAX_ALLOCATION = 1000 };

int main(int argc, const char *argv[]) {
  char *str = NULL;
  size_t len;

  if (argc == 2) {
    len = strlen(argv[1])+1;
    if (len > MAX_ALLOCATION) {
      /* Handle error */
    }
    str = (char *)malloc(len);
    if (str == NULL) {
      /* Handle allocation error */
    }
    strcpy(str, argv[1]);
  }
  else {
    printf("%s\n", "usage: $>a.exe [string]");
    return -1;
  }
  /* ... */
  free(str);
  return 0;
}

Noncompliant Code Example (realloc())

In this noncompliant example, the pointer parameter to realloc(), buf, does not refer to dynamically allocated memory.

Code Block
bgColor#FFcccc
langc
#define BUFSIZE 256
 
void f(void) {
  char buf[BUFSIZE];
  char *p;
  /* ... */
  p = (char *)realloc(buf, 2 * BUFSIZE);  /* violation */
  /* ... */
}

Compliant Solution(realloc())

In this compliant solution, buf refers to dynamically allocated memory.

Code Block
bgColor#ccccff
langc
#define BUFSIZE 256
 
void f(void) {
  char *buf = (char *)malloc(BUFSIZE * sizeof(char));
  char *p;
  /* ... */
  p = (char *)realloc(buf, 2 * BUFSIZE);  /* violation */
  /* ... */
}

Risk Assessment

Freeing or reallocating memory that was not dynamically allocated can lead to arbitrary code execution if that memory is reused by malloc().

...

Tool

Version

Checker

Description

LDRA tool suite

Include Page
LDRA_V
LDRA_V

483 S

Fully implemented.

Coverity

Include Page
Coverity_V
Coverity_V

BAD_FREE

Identifies calls to free() where the argument is a pointer to a function or an array. It also detects the cases where Free is used on an address-of expression, which can never be heap allocated. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Klocwork

Include Page
Klocwork_V
Klocwork_V

FNH.MIGHT
FNH.MUST
FUM.GEN.MIGHT
FUM.GEN.MUST

 

Compass/ROSE

  

Can detect some violations of this rule.

...

MITRE CWE: CWE-590, "Free of invalid pointer not on the heap"

Bibliography

[Seacord 2005] Chapter 4, "Dynamic Memory Management"

...