...
The C Standard, Annex J (184) [ISO/IEC 9899:2024], states that the behavior
...
of a program is undefined when
The pointer argument to the
free
orrealloc
function does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call tofree
orrealloc
.
See also undefined behavior 179.
Freeing memory that is not allocated dynamically can result in heap corruption and other serious errors. Do not call free()
on anything a pointer other than a pointer one returned by a dynamic standard memory allocation function, such as malloc()
, calloc()
, realloc()
, or aligned_alloc()
.
A similar situation arises when realloc()
is supplied a pointer to non-dynamically allocated memory. The realloc()
function is used to resize a block of dynamic memory. If realloc()
is supplied a pointer to memory not allocated by a standard memory allocation function, such as malloc()
, the behavior is undefined. One consequence is that the program may terminate abnormally.
This rule does not apply to null pointers. The C Standard guarantees that if free()
is passed a null pointer, no action occurs.
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> #include <string.h> #include <stdio.h> enum { MAX_ALLOCATION = 1000 }; int main(int argc, const char *argv[]) { char *c_str = NULL; size_t len; if (argc == 2) { len = strlen(argv[1]) + 1; if (len > MAX_ALLOCATION) { /* Handle error */ } c_str = (char *)malloc(len); if (c_str == NULL) { /* Handle error */ } strcpy(c_str, argv[1]); } else { printf("%s\n", "usage: $>a.exe [string]"); return -1EXIT_FAILURE; } free(c_str); return 0; } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> enum { BUFSIZE = 256 }; void f(void) { char buf[BUFSIZE]; char *p = (char *)realloc(buf, 2 * BUFSIZE); if (p == NULL) { /* handleHandle error */ } } |
Compliant Solution (realloc()
)
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> enum { BUFSIZE = 256 }; void f(void) { char *buf = (char *)malloc(BUFSIZE * sizeof(char)); char *p = (char *)realloc(buf, 2 * BUFSIZE); if (p == NULL) { /* handleHandle error */ } } |
Note that realloc()
will behave properly even if malloc()
failed, because when given a null pointer, realloc()
behaves like a call to malloc()
.
...
The consequences of this error depend on the implementation, but they range from nothing to arbitrary code execution if that memory is reused by malloc()
.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MEM34-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| invalid-free | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC-MEM34 | Can detect memory deallocations for stack objects | ||||||
Clang |
| clang-analyzer-unix.Malloc | Checked by clang-tidy ; can detect some instances of this rule, but does not detect all | ||||||
CodeSonar |
| ALLOC.TM | Type Mismatch | ||||||
Compass/ROSE |
Can detect some violations of this rule | |||||||||
| BAD_FREE | Identifies calls to |
| |||||||||
Cppcheck |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||
Cppcheck Premium |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||
Helix QAC |
| DF2721, DF2722, DF2723 | |||||||
Klocwork |
| FNH.MIGHT FNH.MUST |
FUM.GEN.MUST
LDRA tool suite |
| 407 S, 483 S, 644 S, 645 S, 125 D | Partially implemented | ||||||
Parasoft C/C++test |
|
...
CERT_C-MEM34-a | Do not free resources using invalid pointers | ||||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 424, 673 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rule fully covered. | |||||||
PVS-Studio |
| V585, V726 | |||||||
RuleChecker |
| invalid-free | Partially checked | ||||||
TrustInSoft Analyzer |
| unclassified ("free expects a free-able address") | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE()
, which is a Samba-specific memory deallocation macro that wraps the talloc_free()
function. The implementation of talloc_free()
would access the uninitialized pointer, resulting in a remote exploit.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | MEM31-C. Free dynamically allocated memory when no longer needed | Prior to 2018-01-12: CERT |
: Unspecified Relationship | |
CERT C | MEM51-CPP. |
Properly deallocate dynamically allocated resources | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Reallocating or freeing memory that was not dynamically allocated [xfree] |
Prior to 2018-01-12: CERT: Unspecified Relationship | |
CWE 2.11 | CWE-590, Free of |
Memory Not on the Heap | 2017-07-10: CERT: Exact |
Bibliography
[ |
ISO/IEC 9899: |
2024] |
Subclause J.2, "Undefined Behavior" |
...
[Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...