Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Dangling pointers can lead to exploitable double-free and access-freed-memory vulnerabilities. A simple yet effective way to eliminate dangling pointers and avoid many memory-related vulnerabilities is to set pointers to NULL after they have been freed. Calling free() on a null pointer results in no action being taken by free().Alternatively, a pointer may be set to point they are freed or to set them to another valid object.

...

Noncompliant Code Example

In this noncompliant code example, the type of a message is used to determine how to process the message itself. It is assumed that message_type is an integer and message is a pointer to an array of characters that were allocated dynamically. If message_type equals value_1, the message is processed accordingly. A similar operation occurs when message_type equals value_2. However, if message_type == value_1 evaluates to true and message_type == value_2 also evaluates to true, then message will be is freed twice, resulting in an errora double-free vulnerability.

Code Block
bgColor#FFcccc
langc
char *message;
int message_type;

/* Initialize message and message_type */

if (message_type == value_1) {
  /* Process message type 1 */
  free(message);
}
/* ...*/
if (message_type == value_2) {
   /* Process message type 2 */
  free(message);
}

Compliant Solution

As stated above, calling Calling free() on a null pointer results in no action being taken by free(). By setting Setting message equal to NULL after it has been freed, the double-free vulnerability has been eliminatedis freed eliminates the possibility that the message pointer can be used to free the same memory more than once.

Code Block
bgColor#ccccff
langc
char *message;
int message_type;

/* Initialize message and message_type */

if (message_type == value_1) {
  /* Process message type 1 */
  free(message);
  message = NULL;
}
/* ... */
if (message_type == value_2) {
  /* Process message type 2 */
  free(message);
  message = NULL;
}

Exceptions

MEM01-C-EX1: If a nonstatic variable goes out of scope immediately following the free(), it is not necessary to clear its value because it is no longer accessible.

Code Block
bgColor#ccccff
langc
void foo(void) {
  char *str;
  /* ... */
  free(str);
  return;
}

Risk Assessment

Setting pointers to NULL after memory has been or to another valid value after memory is freed is a simple and easily implemented solution for reducing dangling pointers. Dangling pointers can result in freeing memory multiple times or in writing to memory that has already been freed. Both of these problems can lead to an attacker executing arbitrary code with the permissions of the vulnerable process.

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

MEM01-C

High

Unlikely

Yes

Yes

P9

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée reports usage of invalid pointers.
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MEM01Fully implemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.DF
ALLOC.UAF

Double free
Use after free

Compass/ROSE




Coverity

Include Page
Coverity_V
Coverity_V

USE_AFTER_FREE

Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3005


LDRA tool suite
Include Page
LDRA_V
LDRA_V
484 S, 112 D

MEM01-A

3 (high)

2 (probable)

3 (low)

P18

L1

Partially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-MEM01-a
CERT_C-MEM01-b
CERT_C-MEM01-c
CERT_C-MEM01-d

Do not use resources that have been freed
Always assign a new value to an expression that points to deallocated memory
Always assign a new value to global or member variable that points to deallocated memory
Always assign a new value to parameter or local variable that points to deallocated memory

Parasoft Insure++

Detects dangling pointers at runtime

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. MEM01-CChecks for missing reset of a freed pointer (rec. fully covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.3.2, "The free function"
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
\[[Plakosh 05|AA. C References#Plakosh 05]\]

Related Guidelines

SEI CERT C++ Coding StandardVOID MEM01-CPP. Store a valid value in pointers immediately after deallocation
ISO/IEC TR 24772:2013Dangling References to Stack Frames [DCM]
Dangling Reference to Heap [XYK]
Off-by-one Error [XZH]
MITRE CWECWE-415, Double free
CWE-416, Use after free

Bibliography

[Seacord 2013]Chapter 4, "Dynamic Memory Management"
[Plakosh 2005]


...

Image Added Image Added Image AddedMEM00-A. Allocate and free memory in the same module, at the same level of abstraction      08. Memory Management (MEM)       MEM02-A. Do not cast the return value from malloc()