Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated references from C11->C23

...

According to the C Standard, using the value of a pointer that refers to space deallocated by a call to the free() or realloc() function is undefined behavior. (see See undefined behavior 177.).

Reading a pointer to deallocated memory is undefined behavior because the pointer value is indeterminate and might be a trap representation. Fetching a trap representation might perform a hardware trap (but is not required to).

...

Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc() function in a manner that results in double-free vulnerabilities. (see See MEM04-C. Beware of zero-length allocations.).

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM30-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Astrée
Include Page
CodeSonar
Astrée_V
CodeSonar
Astrée_V

ALLOC.UAF

Use after free

Compass/ROSE

 

 

 

dangling_pointer_use

Supported

Astrée reports all accesses to freed allocated memory.

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MEM30Detects memory accesses after its deallocation and double memory deallocations
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.UAF

Use after free
Compass/ROSE




Coverity

Include Page
Coverity_V
Coverity

Coverity

Include PageCoverity_VCoverity
_V

USE_AFTER_FREE

Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer

Fortify SCA

5.0

Double Free

 

Klocwork

Include PageKlocwork_VKlocwork_V

UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST

 

LDRA tool suite

Include PageLDRA_VLDRA_V

51 D, 484 S, 112 D

Partially implemented

Parasoft C/C++test9.5BD-RES-FREE Parasoft Insure++  Detects accessing freed memory at runtime

Splint

Include PageSplint_VSplint_V

 

 

Related Vulnerabilities

VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth()

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

Accessing freed memory [accfree]
Freeing memory multiple times [dblfree]

...

Cppcheck

Include Page
Cppcheck_V
Cppcheck_V

doubleFree
deallocret
deallocuse
Partially implemented
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

doubleFree
deallocret
deallocuse
Partially  implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4866, DF4867, DF4868, DF4871, DF4872, DF4873

C++3339, C++4303, C++4304


Klocwork
Include Page
Klocwork_V
Klocwork_V
UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST


LDRA tool suite
Include Page
LDRA_V
LDRA_V

51 D, 484 S, 112 D

Partially implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-MEM30-a

Do not use resources that have been freed
Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

449, 2434

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule MEM30-C

Checks for:

  • Accessing previously freed pointer
  • Freeing previously freed pointer

Rule partially covered.

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V586, V774
Splint
Include Page
Splint_V
Splint_V



TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

dangling_pointer

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth()

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardMEM01-C. Store a new value in pointers immediately after free()Prior to 2018-01-12: CERT: Unspecified Relationship
CERT CMEM50-CPP. Do not access freed memoryPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Dangling References to Stack Frames [DCM]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Dangling Reference to Heap [XYK]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Accessing freed memory [accfree]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Freeing memory multiple times [dblfree]Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 18.6 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-416, Use After Free2017-07-07: CERT: Exact
CWE 2.11CWE-6722017-07-07: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-672 and MEM30-C

Intersection( MEM30-C, FIO46-C) = Ø CWE-672 = Union( MEM30-C, list) where list =


  • Use of a resource, other than memory after it has been released (eg: reusing a closed file, or expired mutex)


CWE-666 and MEM30-C

Intersection( MEM30-C, FIO46-C) = Ø

CWE-672 = Subset( CWE-666)

CWE-758 and MEM30-C

CWE-758 = Union( MEM30-C, list) where list =


  • Undefined behavior that is not covered by use-after-free errors


CWE-415 and MEM30-C

MEM30-C = Union( CWE-456, list) where list =


  • Dereference of a pointer after freeing it (besides passing it to free() a second time)

...


Bibliography

[ISO/IEC 9899:
2011
2024]7.
22
24.3, "Memory Management Functions"
[Kernighan 1988]Section 7.8.5, "Storage Management"
[OWASP Freed Memory]
 

[MIT 2005]
 

[Seacord 2013b]Chapter 4, "Dynamic Memory Management"
[Viega 2005]Section 5.2.19, "Using Freed Memory"
[VU#623332]
 

[xorl 2009]CVE-2009-1364: LibWMF Pointer Use after free()

...


...

Image Modified Image Modified Image Modified