...
Non-compliant Code Example 1
may result in accessing freed memoryIn this example the type of a message is used to determine how to process the message itself. It is assumed that message_type is an integer and message is a pointer to an array of characters that were allocated dynanmically. If message_type equals value_1, the message is processed accordingly. A similar operation occurs when message_type equals value_2. However, if message_type == value_1 evaluates to true and message_type == value_2 also evaluates to true, then message will be freed twice resulting in an error.
| Code Block |
|---|
if (message_type == value_1) { /* Process message type 1 */ free(message); } if (message_type == value_2) { /* Process message type 2 */ free(message); } |
Non-compliant Code Example 1
memory set to NULL to correct thisAs stated above, calling free() on a NULL pointer results in no action being taken by free(). By setting message equal to NULL after it has been freed, the double-free vulnerability has been eliminated.
| Code Block |
|---|
if (message_type == value_1) {
/* Process message type 1 */
free(message);
message = NULL;
}
if (message_type == value_2) {
/* Process message type 2 */
free(message);
message = NULL;
}
|
References
- ISO/IEC 9899-1999 Section 7.20.3.2 The free function
- Seacord 05 Chapter 4 Dynamic Memory Management