SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Freeing memory multiple times has similar consequences to accessing memory after it is freed. The underlying data structures that manage the heap can become corrupted in a way that could introduce security vulnerabilities into a program. These types of issues are referred to as double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. For instance, VU#62332, which describes a double free vulnerability in the MIT Kerberos 5 function krb5_recvauth(). To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed only once. Programmers should be wary when freeing memory in a loop or conditional statement, if coded incorrectly, these constructs can lead to double-free vulnerabilities.

Non-compliant Code Example 1

In this example, a string of upper case characters is converted to lower all case characters. The pointer to the uppercase string, str is passed to the routine func(). In this routine, a pointer, temp, is set to str and used convert the string "ABCD" to "abcd". Once the string is converted, temp is freed and the function returns. However, because temp references the same storage as str, when temp was freed so was str. As a result, when str is freed a second time in main, freed memory may accessed leading to unpredictable program behavior.

#include <stdlib.h>
#include <stdio.h>

int func(char *str, size_t size) {
  char *temp = str;  /*str and temp reference same location */
  size_t i;
  for (i = 0; i < size-1; i++) temp[i] += 32;
  free(temp);
  return 0;
}

int main(void) {
  size_t size = 5;
  char *str = malloc(size);
  strncpy(str,"ABCD",size);
  printf("%s\n",str); /* 1st printing of str */
  func(str,size);
  free(str);
  return 0;
}

Compliant Solution 1

Only free a pointer to dynamic memory once. This can be accomplished in this example by removing the call to free(str) in main().

#include <stdlib.h>
#include <stdio.h>

int func(char *str, size_t size) {
  char *temp = str;  /*str and temp reference same location */
  size_t i;
  for (i = 0; i < size-1; i++) temp[i] += 32;
  free(temp);
  return 0;
}

int main(void) {
  size_t size = 5;
  char *str = malloc(size);
  strncpy(str,"ABCD",size);
  printf("%s\n",str); /* 1st printing of str */
  func(str,size);
  return 0;
}

References

  • No labels