The C Standard, Annex J (184) [ISO/IEC 9899:20112024], states that the behavior of a program is undefined when
...
Tool | Version | Checker | Description | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| invalid-free | Fully checked | |||||||||
Axivion Bauhaus Suite |
| CertC-MEM34 | Can detect memory deallocations for stack objects | |||||||||
Clang |
| clang-analyzer-unix.Malloc | Checked by clang-tidy ; can detect some instances of this rule, but does not detect all | |||||||||
CodeSonar |
| ALLOC. | FNHFree non-heap variableTM | Type Mismatch | ||||||||
Compass/ROSE | Can detect some violations of this rule | |||||||||||
| BAD_FREE | Identifies calls to | ||||||||||
Cppcheck |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | |||||||||
Cppcheck Premium |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | |||||||||
Helix QAC |
| DF2721, DF2722, DF2723 | ||||||||||
Klocwork |
| FNH.MIGHT FNH.MUST | FUM.GEN.MUST | |||||||||
LDRA tool suite |
| 407 S, 483 S, 644 S, 645 S, 125 D | Partially implemented | |||||||||
Parasoft C/C++test |
| CERT_C-MEM34-a | Do not free resources using invalid pointers | |||||||||
Parasoft Insure++ | Runtime analysis | |||||||||||
PC-lint Plus |
| 424, 673 | Fully supported | |||||||||
Polyspace Bug Finder |
| MISRA 2012 Rule 22.2 | Pointer deallocation without a corresponding dynamic allocation A block of memory shall only be freed if it was allocated by means of a Standard Library function | Checks for:
Rule fully covered. | ||||||||
PRQA QA-C | 9.1 | 1769 | PVS-Studio |
| V585, V726 | |||||||
RuleChecker |
| invalid-free | Partially checked | |||||||||
TrustInSoft Analyzer |
| unclassified ("free expects a free-able address") | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE()
, which is a Samba-specific memory deallocation macro that wraps the talloc_free()
function. The implementation of talloc_free()
would access the uninitialized pointer, resulting in a remote exploit.
...
Bibliography
[ISO/IEC 9899:20112024] | Subclause J.2, "Undefined Behavior" |
[Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...