SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 159

changes.mady.by.user Jill Britton

Saved on

compared with

New Version Current

changes.mady.by.user Caden Milne

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated UB references from C11->C23

The C Standard, Annex J (184) [ISO/IEC 9899:20112024], states that the behavior of a program is undefined when

...

See also undefined behavior 179184.

Freeing memory that is not allocated dynamically can result in heap corruption and other serious errors. Do not call free() on a pointer other than one returned by a standard memory allocation function, such as malloc(), calloc(), realloc(), or aligned_alloc().

...

C2721 C2722 C2723

C++2721, C++2722, C++2723

invalid (rule partially covered) 

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

invalid-free

Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MEM34Can detect memory deallocations for stack objects
Clang
Include Page
Clang_V
Clang_V
clang-analyzer-unix.MallocChecked by clang-tidy; can detect some instances of this rule, but does not detect all
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.TM

Type Mismatch

Compass/ROSE

Can detect some violations of this rule

Coverity

Include Page
Coverity_V
Coverity_V

BAD_FREE

Identifies calls to free() where the argument is a pointer to a function or an array. It also detects the cases where
free() is used on an address-of expression, which can never be heap allocated. Coverity Prevent cannot discover all
violations of this rule, so further verification is necessary

Cppcheck

Include Page
Cppcheck_V
Cppcheck_V

autovarInvalidDeallocation
mismatchAllocDealloc		Partially implemented
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

autovarInvalidDeallocation
mismatchAllocDealloc		Partially implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF2721,

DF2722,

DF2723


Klocwork
Include Page
Klocwork_V
Klocwork_V
FNH.MIGHT
FNH.MUST
LDRA tool suite
Include Page
LDRA_V
LDRA_V

407 S, 483 S, 644 S, 645 S, 125 D

Partially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-MEM34-a

Do not free resources using invalid pointers
Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

424, 673

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule MEM34-C


Checks for

:

  • Invalid free of pointer
PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v2721, 2722, 2723PRQA QA-C++
Include Page
cplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_V
  • Invalid reallocation of pointer

Rule fully covered.

2721, 2722, 2723PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V585, V726
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
invalid-free
Partially checked
TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

unclassified ("free expects a free-able address")

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE(), which is a Samba-specific memory deallocation macro that wraps the talloc_free() function. The implementation of  talloc_free() would access the uninitialized pointer, resulting in a remote exploit.

...

Bibliography

[ISO/IEC 9899:20112024]Subclause J.2, "Undefined Behavior"
[Seacord 2013b]Chapter 4, "Dynamic Memory Management"

...