SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 115

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 116

changes.mady.by.user Pranjal Jumde

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As noted in undefined behavior 179 of Annex J of the C standard [ISO/IEC 9899:2011], the behavior a program is undefined when

the pointer argument to the free or realloc function does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call to free or realloc.

Freeing memory multiple times has similar consequences to accessing memory after it is freed. (See MEM30-C. Do not access freed memory.) First, reading a pointer to deallocated memory is undefined because the pointer value is indeterminate and can have a trap representation. In the latter case, doing so can cause a hardware trap. When reading a freed pointer doesn't cause a trap, the underlying data structures that manage the heap can become corrupted in a way that can introduce security vulnerabilities into a program. These types of issues are called double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. One example of this is VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth().

...

Note that this solution checks for numeric overflow. (See INT32-C. Ensure that operations on signed integers do not result in overflow.)

Noncompliant Code Example (realloc())

...

Tool

Version

Checker

Description

LDRA tool suite

Include Page
LDRA_V
LDRA_V

484 S

Fully implemented.

Fortify SCA

V. 5.0

Double Free

 

Splint

Include Page
Splint_V
Splint_V
  

Coverity Prevent

Include Page
Coverity_V
Coverity_V

RESOURCE_LEAK

Finds resource leaks from variables that go out of scope while owning a resource.

Coverity Prevent

Include Page
Coverity_V
Coverity_V

USE_AFTER_FREE

Can find the instances where a freed memory is freed again. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Compass/ROSE

  

Can detect some violations of this rule. In particular, false positives may be raised if a variable is freed by a different function than the one that allocated it. Also, it is unable to warn on cases where a call to free() happens inside of a for loop.

Klocwork

Include Page
Klocwork_V
Klocwork_V

MLK
UFM.FFM

 

...

ISO/IEC TR 17961 (Draft) Freeing memory multiple times [dblfree]

ISO/IEC TR 24772 "XYK Dangling reference to heap" and "XYL Memory leak"

MITRE CWE: CWE-415, "Double free"

Bibliography

[MIT 2005]
[OWASP, Double Free]
[Viega 2005] "Doubly freeing memory"
[VU#623332]

...