Calling free() on a block of dynamic memory marks that memory for deallocation. Once deallocated, the block of memory is made available for future allocation. However, the data stored in the block of memory to be recycled may be preserved. If this memory block contains sensitive information, that information may be unintentionally exposed.
| Wiki Markup |
|---|
hisThis type of defect can lead to information leakage as is stated in Rule: [MEM33-C. Do not assume memory allocation routines initialize memory]. Other attacks, such as _heap inspection_ \[[vulncat|http://vulncat.fortifysoftware.com/2/HI.html] and [samate|http://samate.nist.gov/docs/SAMATE_source_code_analysis_tool_spec_09_15_06.pdf]\] can also occur. To prevent other information leakage and heap inspection it is necessary to clear sensitive information from dynamically allocated buffers before they are freed. |
...