SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 60 Next »

Freeing memory multiple times has similar consequences to accessing memory after it is freed. The underlying data structures that manage the heap can become corrupted in a way that could introduce security vulnerabilities into a program. These types of issues are referred to as double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth(), is one example.

To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed exactly one time. Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the realloc() function in a manner that results in double-free vulnerabilities (see [[MEM04-A. Do not perform zero length allocations]]).

Non-Compliant Code Example

In this example, the memory referred to by x may be freed twice: once if error_condition is true and again at the end of the code.

x = (int *)malloc (number * sizeof(int));
if (x == NULL) {
  /* Handle Allocation Error */
}
/* ... */
if (error_condition == 1) {
  /* Handle Error Condition*/
  free(x);
}
/* ... */
free(x);

Compliant Solution

Only free a pointer to dynamic memory referred to by x once. This is accomplished by removing the call to free() in the section of code executed when error_condition is true.

if (number > SIZE_MAX/sizeof(int)) {
   /* handle overflow */
  }
x = (int *)malloc(number * sizeof(int));
if (x == NULL) {
  /* Handle Allocation Error */
}
/* ... */
if (error_condition == 1) {
  /* Handle Error Condition*/
}
/* ... */
free(x);
x = NULL;

Note that this solution checks for numeric overflow [INT32-C. Ensure that operations on signed integers do not result in overflow].

Risk Assessment

Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM31-C

high

probable

medium

P12

L1

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this rule.

The Fortify Source Code Analysis Suite Double Free detects instances of memory being freed more than once.

The Coverity Prevent RESOURCE_LEAK finds resource leaks from variables that go out of scope while owning a resource. Coverity Prevent cannot discover all violations of this rule so further verification is necessary.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[VU#623332]]
[[MIT 05]]
[[OWASP, Double Free]]
[[MITRE 07]] CWE ID 415, "Double Free"
[[Viega 05]] "Doubly freeing memory"

      08. Memory Management (MEM)       MEM32-C. Detect and handle memory allocation errors

  • No labels