Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When memory is freed its contents may remain intact and accessible. This is because it is at the memory manager's discretion when to reallocate or recycle the freed chunk. The data at the freed location may appear valid. However, this can change unexpectedly leading to unintended program behavior. As a result, it is necessary to guarantee that memory is not written to or read from once it is freed.

Non-compliant Code Example 1

This example from Kerrighan 88 shows items being deleted from a linked list. Because p is freed before the p->next is executed, p->next reads memory that has already been freed.

Code Block
for(p = head; p != NULL; p= p->next) {
  free(p);
}

Compliant Solution 1

To correct this error, a reference to p->next is stored in q before freeing p.

Code Block
for (p = head; p != NULL; p= p->q) {
  q = p->next;
  free(p);
}

Non-compliant Code Example 2

In the following example, {{buff} is written to after it has been freed. These vulnerabilities can be relatively easily exploited to run arbitrary code with the permissions of the vulnerable process and are seldom this obvious. Typically, allocations and frees are far removed making it difficult to recognize and diagnose these problems.

Code Block
int main(int argc, char *argv[]) {
  char *buff;

  buff = (char *) malloc(BUFSIZE);
  if (!buff) {
     /* handle error condition */
  }
  ...
  free(buff);
  ...
  strncpy(buff, argv[1], BUFSIZE-1);
}

Compliant Solution

Do not free the memory until it is no longer required.

Code Block
int main(int argc, char *argv[]) {
  char *buff;

  buff = (char *) malloc(BUFSIZE);
  if (!buff) {
     /* handle error condition */
  }
  ...
  strncpy(buff, argv[1], BUFSIZE-1);
  ...
  free(buff);

}

Consequences

Reading memory that has already been freed can lead to abnormal program termination and denial-of-service attacks.
Writing memory that has already been freed can lead to the execution of arbitrary code with the permissions of the vulnerabile process.

References