Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated UB references from C11->C23

The pointer argument to the free or realloc function does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call to free or realloc.

See also undefined behavior 184.

Freeing memory that is not allocated dynamically can lead to serious errors. The specific consequences of this error depend on the compiler, but they range from nothing to abnormal program termination. Regardless of the compiler, avoid calling result in heap corruption and other serious errors. Do not call free() on anything a pointer other than a pointer one returned by a dynamic-standard memory allocation function, such as malloc(), calloc(), realloc(), or reallocaligned_alloc().

A similar situation arises when realloc() is supplied a pointer to nondynamically non-dynamically allocated memory. The realloc() function is used to resize a block of dynamic memory. If realloc() is supplied a pointer to memory not allocated by a standard memory allocation function, such as malloc(), the behavior is undefined. One consequence is that the program may terminate abnormally.

This rule does not apply to null pointers. The C Standard guarantees that if free() is passed a null pointer, no action occurs.

Noncompliant Code Example

This noncompliant code example sets c_str to reference either dynamically allocated memory or a statically allocated string literal depending on the value of argc. In either case, c_str is passed as an argument to free(). If anything other than dynamically allocated memory is referenced by c_str, the call to free(c_str) is erroneous.

Code Block
bgColor#FFcccc
langc
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
 
enum { MAX_ALLOCATION = 1000 };

int main(int argc, const char *argv[]) {
  char *c_str = NULL;
  size_t len;

  if (argc == 2) {
    len = strlen(argv[1]) + 1;
    if (len > MAX_ALLOCATION) {
      /* Handle error */
    }
    c_str = (char *)malloc(len);
    if (c_str == NULL) {
      /* Handle allocation error */
    }
    strcpy(c_str, argv[1]);
  }
  else {
    c_str = "usage: $>a.exe [string]";
    printf("%s\n", c_str);
  }
  /* ... */
  free(c_str);
  return 0;
}

Compliant Solution

This compliant solution eliminates the possibility of str referencing nondynamic memory when it is supplied c_str referencing memory that is not allocated dynamically when passed to free().:

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
 
enum { MAX_ALLOCATION = 1000 };

int main(int argc, const char *argv[]) {
  char *c_str = NULL;
  size_t len;

  if (argc == 2) {
    len = strlen(argv[1]) + 1;
    if (len > MAX_ALLOCATION) {
      /* Handle error */
    }
    c_str = (char *)malloc(len);
    if (c_str == NULL) {
      /* Handle allocation error */
    }
    strcpy(c_str, argv[1]);
  }
  else {
    printf("%s\n", "usage: $>a.exe [string]");
    return EXIT_FAILURE;
  }
  free(c_str);
  return -1;
  }
  /* ... */
  free(str);
  return 0;
}

Risk Assessment

0;
}

Noncompliant Code Example (realloc())

In this noncompliant example, the pointer parameter to realloc(), buf, does not refer to dynamically allocated memory:

Code Block
bgColor#FFcccc
langc
#include <stdlib.h>
 
enum { BUFSIZE = 256 };
 
void f(void) {
  char buf[BUFSIZE];
  char *p = (char *)realloc(buf, 2 * BUFSIZE);
  if (p == NULL) {
    /* Handle error */
  }
}

Compliant Solution (realloc())

In this compliant solution, buf refers to dynamically allocated memory:

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
 
enum { BUFSIZE = 256 };
 
void f(void) {
  char *buf = (char *)malloc(BUFSIZE * sizeof(char));
  char *p = (char *)realloc(buf, 2 * BUFSIZE);
  if (p == NULL) {
    /* Handle error */
  }
}

Note that realloc() will behave properly even if malloc() failed, because when given a null pointer, realloc() behaves like a call to malloc().

Risk Assessment

The consequences of this error depend on the implementation, but they range from nothing Freeing or reallocating memory that was not dynamically allocated can lead to arbitrary code execution if that memory is reused by malloc(). 

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM34-C

high

High

likely

Likely

medium

Medium

P18

L1

Automated Detection

...

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

invalid-free

Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MEM34Can detect memory deallocations for stack objects
Clang
Include Page
Clang_V
Clang_V
clang-analyzer-unix.MallocChecked by clang-tidy; can detect some instances of this rule, but does not detect all
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.TM

Type Mismatch

Compass/ROSE

Can detect some violations of this rule

Coverity

Include Page
Coverity_V
Coverity_V

BAD_FREE

Identifies calls to free() where the argument is a pointer to a function or an array. It also detects the cases where
free() is used on an address-of expression, which can never be heap allocated. Coverity Prevent cannot discover all
violations of this rule, so further verification is necessary

...

Cppcheck

Include Page
Cppcheck_V
Cppcheck_V

autovarInvalidDeallocation
mismatchAllocDealloc
Partially implemented
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

autovarInvalidDeallocation
mismatchAllocDealloc
Partially implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF2721, DF2722, DF2723


Klocwork
Include Page
Klocwork_V
Klocwork_V
FNH.MIGHT
FNH.MUST

LDRA tool suite
Include Page
LDRA_V
LDRA_V

407 S, 483 S, 644 S, 645 S, 125 D

Partially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-MEM34-a

Do not free resources using invalid pointers
Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

424, 673

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule MEM34-C


Checks for:

  • Invalid free of pointer
  • Invalid reallocation of pointer

Rule fully covered.

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V585, V726
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
invalid-free
Partially checked
TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

unclassified ("free expects a free-able address")

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

CVE-2015-0240 describes a vulnerability in which an uninitialized pointer is passed to TALLOC_FREE(), which is a Samba-specific memory deallocation macro that wraps the talloc_free() function. The implementation of  talloc_free() would access the uninitialized pointer, resulting in a remote exploit.

Klocwork Version 8.0.4.16 can detect violations of this rule with the FNH.MIGHT, FNH.MUST, FUM.GEN.MIGHT, FUM.GEN.MUST, FUM.ZERO.MIGHT, and FUM.ZERO.MUST checkers.

Compass/ROSE can detect some violations of this rule.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as MEM34-CPP. Only free memory allocated dynamically.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.3, "Memory management functions"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 590|http://cwe.mitre.org/data/definitions/590.html], "Free of Invalid Pointer Not on the Heap"
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management"

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardMEM31-C. Free dynamically allocated memory when no longer neededPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CMEM51-CPP. Properly deallocate dynamically allocated resourcesPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Reallocating or freeing memory that was not dynamically allocated [xfree]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-590, Free of Memory Not on the Heap2017-07-10: CERT: Exact

Bibliography

[ISO/IEC 9899:2024]Subclause J.2, "Undefined Behavior"
[Seacord 2013b]Chapter 4, "Dynamic Memory Management"


...

Image Added Image Added MEM33-C. Use the correct syntax for flexible array members      08. Memory Management (MEM)      Image Modified