The C Standard, Annex J (184) [ISO/IEC 9899:20112024], states that the behavior of a program is undefined when
...
Tool | Version | Checker | Description | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| invalid-free | Fully checked | ||||||||||||
Axivion Bauhaus Suite |
| CertC-MEM34 | Can detect memory deallocations for stack objects | ||||||||||||
Clang |
| clang-analyzer-unix.Malloc | Checked by clang-tidy ; can detect some instances of this rule, but does not detect all | ||||||||||||
CodeSonar |
| ALLOC. | FNHFree non-heap variableTM | Type Mismatch | |||||||||||
Compass/ROSE | Can detect some violations of this rule | ||||||||||||||
| BAD_FREE | Identifies calls to | |||||||||||||
Cppcheck |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||||||||
Cppcheck Premium |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | ||||||||||||
Helix QAC |
| DF2721, DF2722, DF2723 | |||||||||||||
Klocwork |
| FNH.MIGHT FNH | .MUST.MUST | ||||||||||||
LDRA tool suite |
| 407 S, 483 S, 644 S, 645 S, 125 D | Partially implemented | ||||||||||||
Parasoft C/C++test |
| CERT_C-MEM34-a | Do not free resources using invalid pointers | ||||||||||||
Parasoft Insure++ | Runtime analysis | ||||||||||||||
PC-lint Plus |
| 424, 673 | Fully supported | ||||||||||||
Polyspace Bug Finder |
| MISRA 2012 Rule 22.2 | Pointer deallocation without a corresponding dynamic allocation A block of memory shall only be freed if it was allocated by means of a Standard Library function | PRQA QA||||||||||||
Include Page | PRQA QA-C_v | PRQA QA-C_v | 2721, 2722, 2723Checks for:
Rule fully covered. | ||||||||||||
PVS-Studio |
| V585, V726 | |||||||||||||
RuleChecker |
| invalid-free | Partially checked | ||||||||||||
TrustInSoft Analyzer |
| unclassified ("free expects a free-able address") | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE()
, which is a Samba-specific memory deallocation macro that wraps the talloc_free()
function. The implementation of talloc_free()
would access the uninitialized pointer, resulting in a remote exploit.
...
Bibliography
[ISO/IEC 9899:20112024] | Subclause J.2, "Undefined Behavior" |
[Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...