Evaluating pointers into memory that have been deallocated by a memory management function, including dereferencing, acting a pointer—including dereferencing the pointer, using it as an operand of an arithmetic operation, type casting it, or and using the pointer it as the right-hand side of an assignment, assignment—into memory that has been deallocated by a memory management function is undefined behavior. Pointers to memory that have has been deallocated are called called dangling pointers. Accessing a dangling pointer can result in exploitable vulnerabilities.
It is at the memory manager's discretion when to reallocate or recycle the freed memory. When memory is freed, all pointers into it become invalid, and its contents might either be returned to the operating system, making the freed space inaccessible, or remain intact and accessible. As a result, the data at the freed location can appear to be valid but change unexpectedly. Consequently, memory must not be written to or read from once it is freed.
...
In this noncompliant code example, s is dereferenced after it has been deallocated. If this access results in a write-after-free, the vulnerability can be exploited to run arbitrary code with the permissions of the vulnerable process and are seldom this obvious. Typically, dynamic memory allocations and deallocations are far removed, making it difficult to recognize and diagnose such problems.
...
Search for other vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | MEM52-CPP. Detect and handle memory allocation errors |
| CERT C Secure Coding Standard | MEM30-C. Do not access freed memory |
| MITRE CWE |
...