SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 92

changes.mady.by.user Martin Sebor

Saved on

compared with

New Version 93

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Freeing memory multiple times has similar consequences to accessing memory after it is freed. (see See guideline MEM30-C. Do not access freed memory.) . First, reading a pointer to deallocated memory is undefined because the pointer value is indeterminate and may have a trap representation . In the latter case, doing so may cause a hardware trap. When reading a freed pointer doesn't cause a trap, the underlying data structures that manage the heap can become corrupted in a way that can introduce security vulnerabilities into a program. These types of issues are referred to as double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. One example of this is VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth(), is one example.

To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed exactly one time. Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc() function in a manner that results in double-free vulnerabilities. (see See guideline MEM04-C. Do not perform zero length allocations.).

Noncompliant Code Example

...

Note that this solution checks for numeric overflow. (see See guideline INT32-C. Ensure that operations on signed integers do not result in overflow.).

Risk Assessment

Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM31-C

high

probable

medium

P12

L1

Automated Detection

The LDRA tool suite Version 7.6.0 can detect violations of this rule.

Fortify SCA Version 5.0 can detect violations of this rule with the Double Free checker.

Splint Version 3.1.1 can detect violations of this rule.

...

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Fortify SCA

Section

V. 5.0

Section

Double Free

 

Section

Splint

Include Page
c:Splint_V
c:Splint_V

 

 

Section

Coverity Prevent

Include Page
c:Coverity_V
c:Coverity_V
Section

RESOURCE_LEAK

Section

finds resource leaks from variables that go out of scope while owning a resource

...

Section

Coverity Prevent

Include Page
c:Coverity_V
c:Coverity_V
Section

USE_AFTER_FREE

...

Section

can find the instances where a freed memory is freed again. Coverity Prevent cannot discover all violations of this rule so further verification is necessary

...

Section

Compass/ROSE

 

 

Section

can detect some violations of this rule. In particular, false positives may be raised if a variable is freed by a different function than the one that allocated it. Also, it is unable to warn on cases where a call to free() happens inside of a for-loop

...

Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V
Section

MLK
UFM.FFM

 

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : MEM31-CPP. Free dynamically allocated memory exactly once.

Bibliography

Wiki Markup
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "XYK Dangling Reference to Heap" and "XYL Memory Leak"
\[[MIT 052005|AA. Bibliography#MIT 05]\]
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 415|http://cwe.mitre.org/data/definitions/415.html], "Double Free"
\[[OWASP, Double Free|AA. Bibliography#OWASP Double Free]\]
\[[Viega 052005|AA. Bibliography#Viega 05]\] "Doubly freeing memory"
\[[VU#623332|AA. Bibliography#VU623332]\]

...