SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 100

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 101

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
According \[[ISO/IEC 9899-1999|AA. Bibliography#ISO/IEC 9899-1999]\], the behavior of a program that uses the value of a pointer that refers to space deallocated by a call to the {{free()}} or {{realloc()}} function is [undefined |BB. Definitions#undefined behavior]. (seeSee [undefined behavior 168 |CC. Undefined Behavior#ub_168] of Annex J.).

Reading a pointer to deallocated memory is undefined because the pointer value is indeterminate and may have a trap representation . In the latter case, doing so may cause a hardware trap.

...

Wiki Markup
This example from Kernighan and Ritchie \[[Kernighan 881988|AA. Bibliography#Kernighan 88]\] shows both the incorrect and correct techniques for deleting items from a linked list. The incorrect solution, clearly marked as wrong in the book, is bad because {{p}} is freed before the {{p->next}} is executed, so {{p->next}} reads memory that has already been freed.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM30-C

high

likely

medium

P18

L1

Automated Detection

The LDRA tool suite Version 7.6.0 can detect violations of this rule.

Fortify SCA Version 5.0 can detect violations of this rule.

Splint Version 3.1.1 can detect violations of this rule.

Compass/ROSE can detect violations of the rule.

...

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Fortify SCA

Section

V. 5.0

 

 

Section

Splint

Include Page
c:Splint_V
c:Splint_V

 

 

Section

Compass/ROSE

 

 

 

Section

Coverity Prevent

Include Page
c:Coverity_V
c:Coverity_V
Section

USE_AFTER_FREE

Section

can detect the specific instances where Memory is deallocated more than once or Read/Write to target of a freed pointer

...

Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V
Section

UFM.DEREF.MIGHT

...


UFM.DEREF.MUST

...


UFM.RETURN.MIGHT

...


UFM.RETURN.MUST

...


UFM.USE.MIGHT

...


UFM.USE.MUST

...

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : MEM30-CPP. Do not access freed memory.

Bibliography

Wiki Markup
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.20.3.2, "The {{free}} function"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "DCM Dangling references to stack frames" and "XYK Dangling Reference to Heap"
\[[Kernighan 881988|AA. Bibliography#Kernighan 88]\] Section 7.8.5, "Storage Management"
\[[MISRA 042004|AA. Bibliography#MISRA 04]\] Rule 17.6
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 416|http://cwe.mitre.org/data/definitions/416.html], "Use After Free"
\[[OWASP Freed Memory|AA. Bibliography#OWASP Freed Memory]\]
\[[Seacord 05a2005a|AA. Bibliography#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
\[[Viega 052005|AA. Bibliography#Viega 05]\] Section 5.2.19, "Using freed memory"
\[[xorl 2009|AA. Bibliography#xorl 2009]\] ["CVE-2009-1364: LibWMF Pointer Use after free()"|http://xorl.wordpress.com/2009/05/05/cve-2009-1364-libwmf-pointer-use-after-free/]

...