...
| Wiki Markup |
|---|
This example from Kernighan and Ritchie \[[Kernighan 1988|AA. Bibliography#Kernighan 88]\] shows both the incorrect and correct techniques for deleting items from a linked list. The incorrect solution, clearly marked as wrong in the book, is bad because {{p}} is freed before the {{p->next}} is executed, so {{p->next}} reads memory that has already been freed. |
| Code Block |
|---|
|
for (p = head; p != NULL; p = p->next)
free(p);
|
...
Kernighan and Ritchie also show the correct solution. To correct this error, a reference to p->next is stored in q before freeing p.
| Code Block |
|---|
|
for (p = head; p != NULL; p = q) {
q = p->next;
free(p);
}
head = NULL;
|
...
In this noncompliant code example, buff is written to after it has been freed. These vulnerabilities can be easily exploited to run arbitrary code with the permissions of the vulnerable process and are seldom this obvious. Typically, allocations and frees are far removed, making it difficult to recognize and diagnose these problems.
| Code Block |
|---|
|
int main(int argc, const char *argv[]) {
char *buff;
buff = (char *)malloc(BUFFERSIZE);
if (!buff) {
/* Handle error condition */
}
/* ... */
free(buff);
/* ... */
strncpy(buff, argv[1], BUFFERSIZE-1);
}
|
...
In this compliant solution do not free the memory until it is no longer required.
| Code Block |
|---|
|
int main(int argc, const char *argv[]) {
char *buff;
buff = (char *)malloc(BUFFERSIZE);
if (!buff) {
/* Handle error condition */
}
/* ... */
strncpy(buff, argv[1], BUFFERSIZE-1);
/* ... */
free(buff);
}
|
...
| Wiki Markup |
|---|
In this noncompliant example ([CVE-2009-1364|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1364]) from {{libwmf}} version 0.2.8.4, the return value of {{gdRealloc}} (a simple wrapper around {{realloc}} which reallocates space pointed to by {{im->clip->list}}) is set to {{more}}. However, the value of {{im->clip->list}} is used directly afterwards in the code, and [ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999] specifies that if {{realloc}} moves the area pointed to, then the original is freed. An attacker can then execute arbitrary code by forcing a reallocation (with a sufficient {{im->clip->count}}) and accessing freed memory \[[xorl 2009|http://xorl.wordpress.com/2009/05/05/cve-2009-1364-libwmf-pointer-use-after-free/]\]. |
| Code Block |
|---|
|
void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
...
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return; //if the realloc fails, then we have not lost the im->clip->list value
im->clip->max += 8;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
|
...
The compliant solution simply reassigns im->clip->list to the value of more after the call to realloc.
| Code Block |
|---|
|
void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
...
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return;
im->clip->max += 8;
im->clip->list = more;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
|
...
