SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 121

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 122

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this noncompliant code example, the memory referred to by x may be freed twice: once if error_condition is true and again at the end of the code.:

Code Block
bgColor#FFCCCC
langc
int f(size_t n) {
  int error_condition = 0;

  int *x = (int*)malloc(n * sizeof(int));
  if (x == NULL)
    return -1;

  /* Use x and set error_condition on error. */

  if (error_condition == 1) {
    /* Handle error condition*/
    free(x);
  }

  /* ... */
  free(x);
  return error_condition;
}

...

In this compliant solution, the free a referenced by x is only freed once. This is accomplished by eliminating the call to free() when error_condition is set.:

Code Block
bgColor#ccccff
langc
int f(size_t n) {
  int error_condition = 0;

  if (n > SIZE_MAX / sizeof(int)) {
    errno = EOVERFLOW;
    return -1;
  }

  int *x = (int*)malloc(n * sizeof(int));
  if (x == NULL) {
    /* Report allocation failure to caller. */
    return -1;
  }

  /* Use x and set error_condition on error. */

  if (error_condition != 0) {
    /* Handle error condition and proceed. */
  }

  free(x);

  return error_condition;
}

...

The memory referenced by p may be freed twice in this noncompliant code example.:

Code Block
bgColor#FFCCCC
langc
/* p is a pointer to dynamically allocated memory */
p2 = realloc(p, size);
if (p2 == NULL) {
  free(p); /* p may be indeterminate when (size == 0) */
  return;
}

...

  1. Glibc (GNU/Linux)
  2. AIX
  3. HP-UX
  4. Solaris
  5. OSF/1

This means that In nonconforming implementations, calling free on the original pointer might result in a double-free vulnerability. However, not calling free on the original pointer might result in a memory leak.

...

In this compliant solution, allocations of zero bytes are prevented, ensuring that p is freed exactly once.:

Code Block
bgColor#ccccff
langc
/* p is a pointer to dynamically allocated memory */
if (size) {
  p2 = realloc(p, size);
  if (p2 == NULL) {
    free(p);
    return;
  }
}
else {
  free(p);
  return;
}

...

Tool

Version

Checker

Description

Compass/ROSE

Coverity

Include Page
Coverity_V
Coverity_V

RESOURCE_LEAK

USE_AFTER_FREE

Finds resource leaks from variables that go out of scope while owning a resource.

Can find the instances where a freed memory is freed again. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Fortify SCA

5.0

Double Free

 

Klocwork

Include Page
Klocwork_V
Klocwork_V

MLK
UFM.FFM

 

LDRA tool suite

Include Page
LDRA_V
LDRA_V

484 S

Fully implemented.

Splint

Include Page
Splint_V
Splint_V
  

...

[ISO/IEC 9899:2011]Section 7.22.3, "Memory Management Functions"
[MIT 2005] 
[OWASP Double Free]"Double Free"
[Viega 2005]"Doubly Freeing Memory"
[VU#623332]  


 

...