The C Standard, Annex J (184) [ISO/IEC 9899:20112024], states that the behavior of a program is undefined when
...
The consequences of this error depend on the implementation, but they range from nothing to arbitrary code execution if that memory is reused by malloc().
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM34-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| invalid-free | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-MEM34 | Can detect memory deallocations for stack objects | ||||||
| Clang |
| clang-analyzer-unix.Malloc | Checked by clang-tidy; can detect some instances of this rule, but does not detect all | ||||||
| CodeSonar |
| ALLOC. |
TM | Type Mismatch |
| Compass/ROSE |
Can detect some violations of this rule | |||||||||
| BAD_FREE | Identifies calls to | |||||||
| Cppcheck |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||
| Cppcheck Premium |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||
| Helix QAC |
| DF2721, DF2722, DF2723 | |||||||
| Klocwork |
| FNH.MIGHT FNH.MUST |
FUM.GEN.MIGHT
FUM.GEN.MUST
| LDRA tool suite |
| 407 S, 483 S, 644 S, 645 S, 125 D | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_C-MEM34-a | Do not free resources using invalid pointers |
| Parasoft Insure++ |
| Runtime analysis | |||||||||
| PC-lint Plus |
| 424, 673 | Fully supported | ||||||
| Polyspace Bug Finder |
|
| Checks for:
|
Pointer deallocation without a corresponding dynamic allocation
Rule fully covered. | |||||||||
| PVS-Studio |
| V585, V726 | |||||||
| RuleChecker |
| invalid-free | Partially checked | ||||||
| TrustInSoft Analyzer |
| unclassified ("free expects a free-able address") | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE(), which is a Samba-specific memory deallocation macro that wraps the talloc_free() function. The implementation of talloc_free() would access the uninitialized pointer, resulting in a remote exploit.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | MEM31-C. Free dynamically allocated memory when no longer needed |
| Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CERT C | MEM51-CPP. Properly deallocate dynamically allocated resources | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Reallocating or freeing memory that was not dynamically allocated [xfree] |
| Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CWE 2.11 | CWE-590, Free of Memory Not on the Heap | 2017-07-10: CERT: Exact |
Bibliography
| [ISO/IEC 9899: |
| 2024] | Subclause J.2, "Undefined Behavior" |
| [Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...
...