...
Tool | Version | Checker | Description | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported, but no explicit checkerdangling_pointer_use | Supported Astrée reports all accesses to freed allocated memory. | |||||||||||||||||||||||||||||||||||
| Axivion Bauhaus Suite |
| CertC-MEM30 | Detects memory accesses after its deallocation and double memory deallocations | |||||||||||||||||||||||||||||||||||
| CodeSonar |
| ALLOC.UAF | Use after free | |||||||||||||||||||||||||||||||||||
| Compass/ROSE | ||||||||||||||||||||||||||||||||||||||
| USE_AFTER_FREE | Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer Klocwork | ||||||||||||||||||||||||||||||||||||
| Cppcheck |
| Klocwork
| Klocwork
| UFM.DEREF.MIGHT | LDRA tool suite | |||||||||||||||||||||||||||||||||
| Include Page | LDRA_V | LDRA_V | 51 D, 484 S, 112 D | Partially implemented | Parasoft C/C++test | |||||||||||||||||||||||||||||||||
| Include Page | Parasoft_V | Parasoft_V | BD-RES-FREE | Implemented | Parasoft Insure++ | Detects accessing freed memory at runtime | Polyspace Bug Finder | |||||||||||||||||||||||||||||||
| Include Page | Polyspace Bug Finder_V | Polyspace Bug Finder_V | Deallocation of previously deallocated pointer Invalid use of standard library string routine | Memory freed more than once without allocation Standard library string function called with invalid arguments Memory accessed after deallocation Functions which are designed to provide operations on a resource should be called in an appropriate sequence The address of an object with automatic storage shall not be copied to another object that persists after the first object has ceased to exist All resources obtained dynamically by means of Standard Library functions shall be explicitly released A block of memory shall only be freed if it was allocated by means of a Standard Library function | PRQA QA-C | 9.1 | 1769, 1770 | PRQA QA-C++ | 4.2 | 3339, 4303, 4304doubleFree deallocret deallocuse | Partially implemented | |||||||||||||||||||||||||||
| Cppcheck Premium |
| doubleFree deallocret deallocuse | Partially implemented | |||||||||||||||||||||||||||||||||||
| Helix QAC |
| DF4866, DF4867, DF4868, DF4871, DF4872, DF4873 C++3339, C++4303, C++4304 | ||||||||||||||||||||||||||||||||||||
| Klocwork |
| UFM.DEREF.MIGHT UFM.DEREF.MUST UFM.FFM.MIGHT UFM.FFM.MUST UFM.RETURN.MIGHT UFM.RETURN.MUST UFM.USE.MIGHT UFM.USE.MUST | ||||||||||||||||||||||||||||||||||||
| LDRA tool suite |
| 51 D, 484 S, 112 D | Partially implemented | |||||||||||||||||||||||||||||||||||
| Parasoft C/C++test |
| CERT_C-MEM30-a | Do not use resources that have been freed | |||||||||||||||||||||||||||||||||||
| Parasoft Insure++ | Runtime analysis | |||||||||||||||||||||||||||||||||||||
| PC-lint Plus |
| 449, 2434 | Fully supported | |||||||||||||||||||||||||||||||||||
| Polyspace Bug Finder |
| Checks for:
Rule partially covered. | ||||||||||||||||||||||||||||||||||||
| PVS-Studio |
| V586, V774 | ||||||||||||||||||||||||||||||||||||
| Splint |
| |||||||||||||||||||||||||||||||||||||
| TrustInSoft Analyzer |
| dangling_pointer | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
VU#623332 describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth().
...
Bibliography
| [ISO/IEC 9899:20112024] | 7.2224.3, "Memory Management Functions" |
| [Kernighan 1988] | Section 7.8.5, "Storage Management" |
| [OWASP Freed Memory] | |
| [MIT 2005] | |
| [Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
| [Viega 2005] | Section 5.2.19, "Using Freed Memory" |
| [VU#623332] | |
| [xorl 2009] | CVE-2009-1364: LibWMF Pointer Use after free() |
...