...
| Wiki Markup |
|---|
Failing to follow this recommendation has led to real-world vulnerabilities. For example, freeing memory in different modules resulted in a vulnerability in MIT Kerberos 5 \[[MIT 04|AA. C References#MIT 04]\]. The MIT Kerberos 5 code in this case contained error-handling logic, which freed memory allocated by the ASN.1 decoders if pointers to the allocated memory were non-NULL. However, if a detectable error occurred, the ASN.1 decoders freed the memory that they had allocated. When some library functions received errors from the ASN.1 decoders, they also attempted to free, resulting in a double-free vulnerability. |
...
Noncompliant Code Example
This non-compliant noncompliant code example shows a double-free vulnerability resulting from memory being allocated and freed at differing levels of abstraction. In this example, memory for the list array is allocatd in the process_list() function. The array is then passed to the verify_list() function that performs error checking on the size of the list. If the size of the list is below a minimum size, the memory allocated to the list is freed and the function returns to the caller. The calling function then frees this same memory again, resulting in a double-free and potentially exploitable vulnerability.
...
The call to free memory in the verify_list() function takes place in a subroutine of the process_list() function, at a different level of abstraction from the allocation, resulting in a violation of this recommendation. The memory deallocation also occurs in error handling code, which is frequently not as well tested as "green paths" through the code.
Compliant Solution
To correct this problem, the error handling code in verify_list() is modified so that it no longer frees list. This change ensures that list is freed only once, at the same level of abstraction, in the process_list() function.
| Code Block | ||
|---|---|---|
| ||
enum { MIN_SIZE_ALLOWED = 32 };
int verify_size(const char const *list, size_t size) {
if (size < MIN_SIZE_ALLOWED) {
/* Handle Error Condition */
return -1;
}
return 0;
}
void process_list(size_t number) {
char *list = (char *)malloc(number);
if (list == NULL) {
/* Handle Allocation Error */
}
if (verify_size(list, number) == -1) {
free(list);
return;
}
/* Continue Processing list */
free(list);
}
|
Risk Assessment
The mismanagement of memory can lead to freeing memory multiple times or writing to already freed memory. Both of these coding errors can result in an attacker executing arbitrary code with the permissions of the vulnerable process. Memory management errors can also lead to resource depletion and denial-of-service attacks.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM00-A C | high | probable | medium | P12 | L1 |
Automated Detection
The LDRA tool suite V 7.6.0 is able to can detect violations of this recommendation.
Fortify SCA Version 5.0 with CERT C Rule Pack can detect violations of this recommendation.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.3, "Memory Management Functions" \[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYL Memory Leak" \[[MIT 04|AA. C References#MIT 04]\] \[[Plakosh 05|AA. C References#Plakosh 05]\] \[[Seacord 05a|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management" |
...
08. Memory Management (MEM) 08. Memory Management (MEM) MEM01-A. Store a new value in pointers immediately after free()