The C Standard, Annex J (184) [ISO/IEC 9899:20112024], states that the behavior of a program is undefined when
...
The consequences of this error depend on the implementation, but they range from nothing to arbitrary code execution if that memory is reused by malloc()
.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MEM34-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| invalid-free | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC-MEM34 | Can detect memory deallocations for stack objects | ||||||
Clang |
| clang-analyzer-unix.Malloc | Checked by clang-tidy ; can detect some instances of this rule, but does not detect all | ||||||
CodeSonar |
| ALLOC. |
TM | Type Mismatch |
Compass/ROSE |
Can detect some violations of this rule | |||||||||
| BAD_FREE | Identifies calls to |
| |||||||||
Cppcheck |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||
Cppcheck Premium |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||
Helix QAC |
| DF2721, DF2722, DF2723 | |||||||
Klocwork |
| FNH.MIGHT FNH |
FUM.GEN.MIGHT
FUM
. |
MUST |
LDRA tool suite |
| 407 S, 483 S, 644 S, 645 S, 125 D | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-MEM34-a | Do not free resources using invalid pointers | ||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 424, 673 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rule fully covered. | |||||||
PVS-Studio |
| V585, V726 | |||||||
RuleChecker |
| invalid-free | Partially checked | ||||||
TrustInSoft Analyzer |
| unclassified ("free expects a free-able address") | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE()
, which is a Samba-specific memory deallocation macro that wraps the talloc_free()
function. The implementation of talloc_free()
would access the uninitialized pointer, resulting in a remote exploit.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | MEM31-C. Free dynamically allocated memory when no longer needed |
Prior to 2018-01-12: CERT: Unspecified Relationship | ||
CERT C | MEM51-CPP. Properly deallocate dynamically allocated resources | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Reallocating or freeing memory that was not dynamically allocated [xfree] |
Prior to 2018-01-12: CERT: Unspecified Relationship | ||
CWE 2.11 | CWE-590, Free of Memory Not on the Heap | 2017-07-10: CERT: Exact |
Bibliography
[ISO/IEC 9899: |
2024] | Subclause J.2, "Undefined Behavior" |
[Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...
...