SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 98

changes.mady.by.user Adrian Trejo Nuñez

Saved on

compared with

New Version 99

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: move realloc to second example and localized realloc specific text from example

...

To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed exactly one time. Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc() function in a manner that results in double-free vulnerabilities. (See recommendation MEM04-C. Do not perform zero length allocations.)

Wiki Markup
According to the C99 standard \[[ISO/IEC 9899-1999|AA. Bibliography#ISO/IEC 9899-1999]\] (7.20.3):

If the size of the space requested is zero, the behavior is implementation defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object.

and (7.20.3.4):

If memory for the new object cannot be allocated, the old object is not deallocated and its value is unchanged.

If realloc() is called with size equal to 0, then if a NULL pointer is returned, the old value should be unchanged. However, there are some implementations that free the pointer, which means that calling free on the original pointer might result in a double-free vulnerablility, however, not calling free on the original pointer might result in a memory leak.

See Implementation-Specific 7.35 Performing zero length allocations (MEM04-C) for more information.

Noncompliant Code Example

...

In this example, p may be freed twice.

...

bgColor#FFCCCC

...

(

...

(malloc())

In this

Compliant Code Example

In this example, p is freed exactly once.

Code Block
bgColor#ccccff

/* p is a pointer to dynamically allocated memory */
if(size) {
  p2 = realloc(p, size);
  if(p2 == NULL) {
    free(p);
    return;
  }
}
else {
    free(p);
    return;
}

Noncompliant Code Example

In this noncompliant code example, the memory referred to by x may be freed twice: once if error_condition is true and again at the end of the code.

Code Block
bgColor#FFCCCC
int f(size_t n) {
  int error_condition = 0;

  int *x = (int*)malloc(n * sizeof(int));
  if (x == NULL)
    return -1;

  /* Use x and set error_condition on error. */

  if (error_condition == 1) {
    /* Handle error condition*/
    free(x);
  }

  /* ... */
  free(x);
  return error_condition;
}

Compliant Solution ((malloc())

In this compliant solution, the free a referenced by x is only freed once. This is accomplished by eliminating the call to free() when error_condition is set.

...

Note that this solution checks for numeric overflow. (See rule INT32-C. Ensure that operations on signed integers do not result in overflow.)

Noncompliant Code Example (realloc())

The memory referenced by p may be freed twice in this noncompliant code example.

Code Block
bgColor#FFCCCC

/* p is a pointer to dynamically allocated memory */
p2 = realloc(p, size);
if (p2 == NULL) {
  free(p); /* p may be indeterminate when (size == 0) */
  return;
}

Wiki Markup
According to the C99 standard \[[ISO/IEC 9899-1999|AA. Bibliography#ISO/IEC 9899-1999]\] (7.20.3):

If the size of the space requested is zero, the behavior is implementation defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object.

and (7.20.3.4):

If memory for the new object cannot be allocated, the old object is not deallocated and its value is unchanged.

If realloc() is called with size equal to 0, then if a NULL pointer is returned, the old value should be unchanged. However, there are some common but non-conforming implementations that free the pointer, which means that calling free on the original pointer might result in a double-free vulnerability. However, not calling free on the original pointer might result in a memory leak.

See Implementation-Specific 7.35 Performing zero length allocations (MEM04-C) for more information.

Compliant Code Example (realloc())

In this compliant solution, allocations of zero-bytes are prevented, ensuring that p is freed exactly once.

Code Block
bgColor#ccccff

/* p is a pointer to dynamically allocated memory */
if (size) {
  p2 = realloc(p, size);
  if (p2 == NULL) {
    free(p);
    return;
  }
}
else {
  free(p);
  return;
}

Risk Assessment

Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.

...