The C Standard, Annex J (184) [ISO/IEC 9899:20112024], states that the behavior of a program is undefined when
...
Tool | Version | Checker | Description | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| invalid-free | Fully checked | |||||||||||||
Axivion Bauhaus Suite |
| CertC-MEM34 | Can detect memory deallocations for stack objects | |||||||||||||
Clang |
| clang-analyzer-unix.Malloc | Checked by clang-tidy ; can detect some instances of this rule, but does not detect all | |||||||||||||
CodeSonar |
| ALLOC. | FNHFree non-heap variableTM | Type Mismatch | ||||||||||||
Compass/ROSE | Can detect some violations of this rule | |||||||||||||||
| BAD_FREE | Identifies calls to | ||||||||||||||
Cppcheck |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | |||||||||||||
Cppcheck Premium |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | |||||||||||||
Helix QAC |
| DF2721, DF2722, DF2723 | ||||||||||||||
Klocwork |
| FNH.MIGHT FNH | .MUST. | GEN.MUST | ||||||||||||
LDRA tool suite |
| 407 S, 483 S, 644 S, 645 S, 125 D | Partially implemented | |||||||||||||
Parasoft C/C++test |
| BDCERT_C- | RESMEM34- | INVFREEImplementeda | Do not free resources using invalid pointers | |||||||||||
Parasoft Insure++ | Detect at runtimeRuntime analysis | |||||||||||||||
PC-lint Plus |
| 424, 673 | Fully supported | |||||||||||||
Polyspace Bug Finder |
| R2016a
| Checks for:
| Pointer deallocation without a corresponding dynamic allocation | PRQA QA-C | 9.1 |
Rule fully covered. | |||||||||
1769 | PVS-Studio |
| V585, V726 | |||||||||||||
RuleChecker |
| invalid-free | Partially checked | |||||||||||||
TrustInSoft Analyzer |
| unclassified ("free expects a free-able address") | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE()
, which is a Samba-specific memory deallocation macro that wraps the talloc_free()
function. The implementation of talloc_free()
would access the uninitialized pointer, resulting in a remote exploit.
...
Bibliography
[ISO/IEC 9899:20112024] | Subclause J.2, "Undefined Behavior" |
[Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...