SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 44

changes.mady.by.user Lee Mancuso

Saved on

compared with

New Version 45

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Freeing memory multiple times has similar consequences to accessing memory after it is freed. The underlying data structures that manage the heap can become corrupted in a way that could introduce security vulnerabilities into a program. These types of issues are referred to as double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth(), is one example.

Wiki Markup
To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed exactly one time. Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities.  It is also a common error to misuse the {{realloc()}} function in a manner that results in double-free vulnerabilities (see \[[MEM04-A. Do not make assumptions about the result of allocating 0 bytes]].

Non-Compliant Code Example

...

Code Block
bgColor#FFCCCC
x = malloc (number * sizeof(int));
if (x == NULL) {
  /* Handle Allocation Error */
}
/* ... */
if (error_conditon == 1) {
  /* Handle Error Condition*/
  free(x);
}
/* ... */
free(x);

Compliant Solution

Wiki MarkupOnly free a pointer to dynamic memory referred to by {{x}} once. This is accomplished by removing the call to {{free()}} in the section of code executed when {{error_condition}} is true. Note that this solution checks for numeric overflow \[[INT32-C. Ensure that integer operations do not result in an overflow]\].

Code Block
bgColor#ccccff
if (sizeof(int) > SIZE_MAX/number) {
   /* handle overflow */
  }
x = malloc(number * sizeof(int));
if (x == NULL) {
  /* Handle Allocation Error */
}
/* ... */
if (error_conditon == 1) {
  /* Handle Error Condition*/
}
/* ... */
free(x);

Wiki Markup
Note that this solution checks for numeric overflow \[[INT32-C. Ensure that integer operations do not result in an overflow]\].

Risk Assessment

Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.

...