You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 106 Next »

Undefined behavior 179 states that the behavior of a program is undefined when

The pointer argument to the free or realloc function does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call to free or realloc.

Freeing memory that is not allocated dynamically can result in heap corruption and other serious errors. Do not call free() on anything other than a pointer returned by a dynamic memory allocation function, such as malloc(), calloc(), realloc(), or aligned_alloc().

A similar situation arises when realloc() is supplied a pointer to non-dynamically allocated memory. The realloc() function is used to resize a block of dynamic memory. If realloc() is supplied a pointer to memory not allocated by a memory allocation function, such as malloc(), the program may terminate abnormally.

This rule does not apply to null pointers. The C Standard guarantees that if free() is passed a null pointer, no action occurs.

Noncompliant Code Example

This noncompliant code example sets str to reference either dynamically allocated memory or a statically allocated string literal depending on the value of argc. In either case, str is passed as an argument to free(). If anything other than dynamically allocated memory is referenced by str, the call to free(str) is erroneous.

#include <stdlib.h>
#include <string.h>
 
enum { MAX_ALLOCATION = 1000 };

int main(int argc, const char *argv[]) {
  char *str = NULL;
  size_t len;

  if (argc == 2) {
    len = strlen(argv[1]) + 1;
    if (len > MAX_ALLOCATION) {
      /* Handle error */
    }
    str = (char *)malloc(len);
    if (str == NULL) {
      /* Handle error */
    }
    strcpy(str, argv[1]);
  } else {
    str = "usage: $>a.exe [string]";
    printf("%s\n", str);
  }
  free(str);
  return 0;
}

Compliant Solution

This compliant solution eliminates the possibility of str referencing memory that is not allocated dynamically when passed to free():

#include <stdlib.h>
#include <string.h>
 
enum { MAX_ALLOCATION = 1000 };

int main(int argc, const char *argv[]) {
  char *str = NULL;
  size_t len;

  if (argc == 2) {
    len = strlen(argv[1]) + 1;
    if (len > MAX_ALLOCATION) {
      /* Handle error */
    }
    str = (char *)malloc(len);
    if (str == NULL) {
      /* Handle error */
    }
    strcpy(str, argv[1]);
  } else {
    printf("%s\n", "usage: $>a.exe [string]");
    return -1;
  }
  free(str);
  return 0;
}

Noncompliant Code Example (realloc())

In this noncompliant example, the pointer parameter to realloc(), buf, does not refer to dynamically allocated memory:

#include <stdlib.h>
 
enum { BUFSIZE = 256 };
 
void f(void) {
  char buf[BUFSIZE];
  char *p = (char *)realloc(buf, 2 * BUFSIZE);
  if (p == NULL) {
    /* handle error */
  }
}

Compliant Solution (realloc())

In this compliant solution, buf refers to dynamically allocated memory:

#include <stdlib.h>
 
enum { BUFSIZE = 256 };
 
void f(void) {
  char *buf = (char *)malloc(BUFSIZE * sizeof(char));
  char *p = (char *)realloc(buf, 2 * BUFSIZE);
  if (p == NULL) {
    /* handle error */
  }
}

Note that realloc() will behave properly even if malloc() failed, because when given a null pointer, realloc() behaves like a call to malloc().

Risk Assessment

The consequences of this error depend on the implementation, but they range from nothing to arbitrary code execution if that memory is reused by malloc()

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM34-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

  

Can detect some violations of this rule

Coverity

2017.07

BAD_FREE

Identifies calls to free() where the argument is a pointer to a function or an array. It also detects the cases where Free is used on an address-of expression, which can never be heap allocated. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary

Klocwork

2024.3

FNH.MIGHT
FNH.MUST
FUM.GEN.MIGHT
FUM.GEN.MUST

 

LDRA tool suite

9.7.1

483 S

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[Seacord 2013]Chapter 4, "Dynamic Memory Management"
[ISO/IEC 9899:2011]Annex J, subclause J.2, "Undefined Behavior"

 


  • No labels