...
Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc()
function in a manner that results in double-free vulnerabilities. (See MEM04-C. Beware of zero-length allocations.)
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MEM30-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|
Astrée |
|
|
USE_AFTER_FREE
|
ALLOC.UAF
dangling_pointer_use | Supported Astrée reports all accesses to freed allocated memory. | ||||||||
Axivion Bauhaus Suite |
| CertC-MEM30 | Detects memory accesses after its deallocation and double memory deallocations | ||||||
CodeSonar |
| ALLOC.UAF | Use after free | ||||||
Compass/ROSE | |||||||||
| USE_AFTER_FREE |
Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer |
Cppcheck |
|
|
|
UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST
51 D, 484 S, 112 D
Partially implemented
Deallocation of previously deallocated pointer, Use of previously freed pointer
Memory freed more than once without allocation
Memory accessed after deallocation
Related Vulnerabilities
VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth().
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
Accessing freed memory [accfree]
Freeing memory multiple times [dblfree]
...
doubleFree deallocret deallocuse | Partially implemented | ||||||||
Cppcheck Premium |
| doubleFree deallocret deallocuse | Partially implemented | ||||||
Helix QAC |
| DF4866, DF4867, DF4868, DF4871, DF4872, DF4873 C++3339, C++4303, C++4304 | |||||||
Klocwork |
| UFM.DEREF.MIGHT UFM.DEREF.MUST UFM.FFM.MIGHT UFM.FFM.MUST UFM.RETURN.MIGHT UFM.RETURN.MUST UFM.USE.MIGHT UFM.USE.MUST | |||||||
LDRA tool suite |
| 51 D, 484 S, 112 D | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-MEM30-a | Do not use resources that have been freed | ||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 449, 2434 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rule partially covered. | |||||||
PVS-Studio |
| V586, V774 | |||||||
Splint |
| ||||||||
TrustInSoft Analyzer |
| dangling_pointer | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth().
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | MEM01-C. Store a new value in pointers immediately after free() | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT C | MEM50-CPP. Do not access freed memory | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Dangling References to Stack Frames [DCM] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Dangling Reference to Heap [XYK] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Accessing freed memory [accfree] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Freeing memory multiple times [dblfree] | Prior to 2018-01-12: CERT: Unspecified Relationship |
MISRA C:2012 | Rule 18.6 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-416, Use After Free | 2017-07-07: CERT: Exact |
CWE 2.11 | CWE-672 | 2017-07-07: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-672 and MEM30-C
Intersection( MEM30-C, FIO46-C) = Ø CWE-672 = Union( MEM30-C, list) where list =
- Use of a resource, other than memory after it has been released (eg: reusing a closed file, or expired mutex)
CWE-666 and MEM30-C
Intersection( MEM30-C, FIO46-C) = Ø
CWE-672 = Subset( CWE-666)
CWE-758 and MEM30-C
CWE-758 = Union( MEM30-C, list) where list =
- Undefined behavior that is not covered by use-after-free errors
CWE-415 and MEM30-C
MEM30-C = Union( CWE-456, list) where list =
- Dereference of a pointer after freeing it (besides passing it to free() a second time)
...
Bibliography
[ISO/IEC 9899: |
2024] | 7. |
24.3, "Memory Management Functions" | |
[Kernighan 1988] | Section 7.8.5, "Storage Management" |
[OWASP Freed Memory] |
[MIT 2005] |
[Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
[Viega 2005] | Section 5.2.19, "Using Freed Memory" |
[VU#623332] |
[xorl 2009] | CVE-2009-1364: LibWMF Pointer Use after free() |
...
...