...
Accessing
...
memory
...
once
...
it
...
is
...
freed
...
may
...
corrupt
...
the
...
data
...
structures
...
used
...
to
...
manage
...
the
...
heap.
...
When
...
a
...
chuck
...
memory
...
is
...
freed
...
using
...
free,
...
the
...
underlying
...
structures
...
that
...
manage
...
the
...
block
...
of
...
memory
...
to
...
be
...
freed
...
manipulate
...
that
...
chunk
...
to
...
place
...
back
...
in
...
to
...
the
...
pool
...
of
...
memory
...
available
...
for
...
allocation.
...
References
...
to
...
memory
...
that
...
has
...
been
...
deallocated
...
are
...
referred
...
to
...
as
...
dangling
...
pointers
...
.
...
Accessing
...
a
...
dangling
...
pointer
...
can
...
lead
...
to
...
security
...
vulnerabilities.
...
When
...
memory
...
is
...
freed
...
its
...
contents
...
may
...
remain
...
intact
...
and
...
accessible.
...
This
...
is
...
because
...
it
...
is
...
at
...
the
...
memory
...
manager's
...
discretion
...
when
...
to
...
reallocate
...
or
...
recycle
...
the
...
freed
...
chunk.
...
The
...
data
...
at
...
the
...
freed
...
location
...
may
...
appear
...
to
...
be
...
valid.
...
However,
...
this
...
can
...
change
...
unexpectedly
...
leading
...
to
...
unintended
...
program
...
behavior.
...
As
...
a
...
result,
...
it
...
is
...
necessary
...
to
...
guarantee
...
that
...
memory
...
is
...
not
...
written
...
to
...
or
...
read
...
from
...
once
...
it
...
is
...
freed.
...
Non-compliant
...
Code
...
Example
...
1
...
This
...
example
...
from
...
...
...
shows
...
items
...
being
...
deleted
...
from
...
a
...
linked
...
list.
...
Because
...
p
...
is
...
freed
...
before
...
the
...
p->next
...
is
...
executed,
...
p->next
...
reads
...
memory
...
that
...
has
...
already
...
been
...
freed.
| Code Block |
|---|
} for(p = head; p != NULL; p= p->next) { |
Compliant Solution 1
To correct this error, a reference to p->next is stored in q before freeing p.
| Code Block |
|---|
code} h2. Compliant Solution 1 To correct this error, a reference to {{p->next}} is stored in {{q}} before freeing {{p}}. {code} for (p = head; p != NULL; p= p->q) { q = p->next; free(p); } {code} h2. |
Non-compliant
...
Code
...
Example
...
2
...
In
...
the
...
following
...
example,
...
{{buff}
...
is
...
written
...
to
...
after
...
it
...
has
...
been
...
freed.
...
These
...
vulnerabilities
...
can
...
be
...
relatively
...
easily
...
exploited
...
to
...
run
...
arbitrary
...
code
...
with
...
the
...
permissions
...
of
...
the
...
vulnerable
...
process
...
and
...
are
...
seldom
...
this
...
obvious.
...
Typically,
...
allocations
...
and
...
frees
...
are
...
far
...
removed
...
making
...
it
...
difficult
...
to
...
recognize
...
and
...
diagnose
...
these
...
problems.
| Code Block |
|---|
} int main(int argc, char *argv[]) { char *buff; buff = (char *) malloc(BUFSIZER1BUFSIZE); if (!buff) { /* handle error condition */ } ... free(buff); ... strncpy(buff, argv[1], BUFSIZER1BUFSIZE-1); } {code} h2.Compliant Solution Do not free the memory until it is no longer required. {code} {code} |
Compliant Solution
Do not free the memory until it is no longer required.
| Code Block |
|---|
int main(int argc, char *argv[]) { char *buff; buff = (char *) malloc(BUFSIZER1BUFSIZE); if (!buff) { /* handle error condition */ } ... strncpy(buff, argv[1], BUFSIZER1BUFSIZE-1); ... free(buff); } {code} h2. Consequences Reading memory that has already been freed can lead to abnormal program termination and |
Consequences
Reading memory that has already been freed can lead to abnormal program termination and denial-of-service
...
attacks.
...
Writing
...
memory
...
that
...
has
...
already
...
been
...
freed
...
can
...
lead
...
to
...
the
...
execution
...
of
...
arbitrary
...
code
...
with
...
the
...
permissions
...
of
...
the
...
vulnerabile
...
process.
...
References
...
...
- Section
...
- 7.20.3.2
...
- The
...
- free
...
- function
...
- Seacord 05 Chapter 4 Dynamic Memory Management
- Kerrighan 88 Section 7.8.5
...
- Storage
...
- Management
...
- OWASP
...
- Using
...
- freed
...
- memory
...
...