Dynamic memory management is a common source of programming flaws that can lead to security vulnerabilities. Decisions regarding how dynamic memory is allocated, used, and deallocated are the burden of the programmer. Poor memory management can lead to security issues, such as heap-buffer overflows, dangling pointers, and double-free issues [Seacord 2005a2013]. From the programmer's perspective, memory management involves allocating memory, reading and writing to memory, and deallocating memory.
...
To avoid these situations, memory should be allocated and freed at the same level of abstraction and, ideally, in the same code module. This includes the use of the following memory allocation and deallocation functions described in Section subclause 7.23.3 of the C Standard [ISO/IEC 9899:2011]:
Code Block |
---|
void *malloc(size_t size); void *calloc(size_t nmemb, size_t size); void *realloc(void *ptr, size_t size); void *aligned_alloc(size_t alignment, size_t size); void free(void *ptr); |
...
Code Block | ||||
---|---|---|---|---|
| ||||
enum { MIN_SIZE_ALLOWED = 32 }; int verify_size(char *list, size_t size) { if (size < MIN_SIZE_ALLOWED) { /* Handle Errorerror Conditioncondition */ free(list); return -1; } return 0; } void process_list(size_t number) { char *list = (char *)malloc(number); if (list == NULL) { /* Handle Allocationallocation Errorerror */ } if (verify_size(list, number) == -1) { free(list); return; } /* Continue Processingprocessing list */ free(list); } |
The call to free memory in the verify_size()
function takes place in a subroutine of the process_list()
function, at a different level of abstraction from the allocation, resulting in a violation of this recommendation. The memory deallocation also occurs in error-handling code, which is frequently not as well tested as "green paths" through the code.
...
Code Block | ||||
---|---|---|---|---|
| ||||
enum { MIN_SIZE_ALLOWED = 32 }; int verify_size(const char *list, size_t size) { if (size < MIN_SIZE_ALLOWED) { /* Handle Errorerror Conditioncondition */ return -1; } return 0; } void process_list(size_t number) { char *list = (char *)malloc(number); if (list == NULL) { /* Handle Allocationallocation Errorerror */ } if (verify_size(list, number) == -1) { free(list); return; } /* Continue Processingprocessing list */ free(list); } |
Risk Assessment
The mismanagement of memory can lead to freeing memory multiple times or writing to already freed memory. Both of these coding errors can result in an attacker executing arbitrary code with the permissions of the vulnerable process. Memory management errors can also lead to resource depletion and denial-of-service attacks.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MEM00-C |
High |
Probable |
Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| ALLOC.DF | Double free | ||||||
Compass/ROSE |
Could detect possible violations by reporting any function that has |
Coverity | 6.5 | RESOURCE_LEAK | Fully |
Fortify SCA
5.0
implemented | |||||||||
Klocwork |
| FREE.INCONSISTENT UFM.FFM.MIGHT UFM.FFM.MUST UFM.DEREF.MIGHT UFM.DEREF.MUST UFM.RETURN.MIGHT UFM.RETURN.MUST UFM.USE.MIGHT UFM.USE.MUST MLK.MIGHT MLK.MUST MLK.RET.MIGHT MLK.RET.MUST FNH.MIGHT FNH.MUST FUM.GEN.MIGHT FUM.GEN.MUST RH.LEAK | |||||||
LDRA tool suite |
| 50 D | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-MEM00-a | Do not allocate memory and expect that someone else will deallocate it later | ||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 449, 2434 | Partially supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rec. partially covered. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | VOID MEM11-CPP. Allocate and free memory in the same module, at the same level of abstraction |
ISO/IEC TR 24772:2013 | Memory |
Leak [XYL] | |
MITRE CWE | CWE- |
415, |
Double free CWE- |
416, |
Use after free |
Bibliography
...
...