...
| Code Block | ||
|---|---|---|
| ||
#define MAX_ALLOCATION 1000
int main(int argc, char *argv[]) {
char *str = NULL;
size_t len;
if (argc == 2) {
len = strlen(argv[1])+1;
if (len > MAX_ALLOCATION) {
/* Handle Error */
}
str = malloc(len);
if (str == NULL) {
/* Handle Allocation Error */
}
strcpy(str, argv[1]);
}
else {
str = "usage: $>a.exe [string]";
printf("%s\n", str);
}
/* ... */
free(str);
return 0;
}
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM34-C | 1 (highlow) | 3 (likely) | 2 (highmedium) | P6 | L1 L2 |
Automated Detection
The Coverity Prevent BAD_FREE checker identifies calls to free() where the argument is pointer to a function or an array. Coverity Prevent cannot discover all violations of this rule so further verification is necessary.
...
Search for vulnerabilities resulting from the violation of this rule on the CERTwebsite CERT website.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.3, "Memory management functions" \[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management" |