The C Standard, Annex J (184) [ISO/IEC 9899:20112024], states that the behavior of a program is undefined when
...
Tool | Version | Checker | Description | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| invalid-free | Fully checked | |||||||||||||||||
Axivion Bauhaus Suite |
| CertC-MEM34 | Can detect memory deallocations for stack objects | |||||||||||||||||
Clang |
| clang-analyzer-unix.Malloc | Checked by clang-tidy ; can detect some instances of this rule, but does not detect all | |||||||||||||||||
CodeSonar |
| ALLOC. | FNHFree non-heap variableTM | Type Mismatch | ||||||||||||||||
Compass/ROSE | Can detect some violations of this rule | |||||||||||||||||||
| BAD_FREE | Identifies calls to | ||||||||||||||||||
Cppcheck |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | |||||||||||||||||
Cppcheck Premium |
| autovarInvalidDeallocation mismatchAllocDealloc | Partially implemented | |||||||||||||||||
Helix QAC |
| DF2721, DF2722, DF2723 | ||||||||||||||||||
Klocwork |
| FNH.MIGHT FNH.MUST | FUM.GEN.MUST | |||||||||||||||||
LDRA tool suite |
| 407 S, 483 S, 644 S, 645 S, 125 D | Partially implemented | |||||||||||||||||
Parasoft C/C++test |
| CERT_C-MEM34-a | Do not free resources using invalid pointers | |||||||||||||||||
Parasoft Insure++ | Runtime analysis | |||||||||||||||||||
PC-lint Plus |
| 424, 673 | Fully supported | |||||||||||||||||
Polyspace Bug Finder |
| Checks for | invalid :
| (rule partially covered)PRQA QA-C | ||||||||||||||||
Include Page | PRQA QA-C_v | PRQA QA-C_v | 2721, 2722, 2723 | PRQA QA-C++ | ||||||||||||||||
Include Page | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V |
Rule fully covered. | |||||||||||||||||
2721, 2722, 2723 | PVS-Studio |
| V585, V726 | |||||||||||||||||
RuleChecker |
| invalid-free | Partially checked | |||||||||||||||||
TrustInSoft Analyzer |
| unclassified ("free expects a free-able address") | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE()
, which is a Samba-specific memory deallocation macro that wraps the talloc_free()
function. The implementation of talloc_free()
would access the uninitialized pointer, resulting in a remote exploit.
...
Bibliography
[ISO/IEC 9899:20112024] | Subclause J.2, "Undefined Behavior" |
[Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...