Accessing memory once it is freed may corrupt the data structures used to manage the heap. When a chuck memory is freed using freereallocaed by calling {{free()}, the underlying structures that manage the block of memory to be freed manipulate that chunk to place back in to the pool of memory available for allocation. References to memory that has been deallocated are referred to as dangling pointers. Accessing a dangling pointer can lead to security vulnerabilities.
...
| Code Block |
|---|
int main(int argc, char *argv[]) {
char *buff;
buff = (char *) malloc(BUFSIZE);
if (!buff) {
/* handle error condition */
}
...
free(buff);
...
strncpy(buff, argv[1], BUFSIZE-1);
}
|
...
| Code Block |
|---|
int main(int argc, char *argv[]) {
char *buff;
buff = (char *) malloc(BUFSIZE);
if (!buff) {
/* handle error condition */
}
...
strncpy(buff, argv[1], BUFSIZE-1);
...
free(buff);
}
|
Consequences
Reading memory that has already been freed can lead to abnormal program termination and denial-of-service attacks.
Writing memory that has already been freed can lead to the execution of arbitrary code with the permissions of the vulnerabile process.
...