Page History

Dangling pointers can lead to exploitable double-free and access-freed-memory vulnerabilities. A simple yet effective way to eliminate dangling pointers and avoid many memory-related vulnerabilities is to set pointers to NULL after they have been they are freed or to set them to another valid object.

...

In this noncompliant code example, the type of a message is used to determine how to process the message itself. It is assumed that message_type is an integer and message is a pointer to an array of characters that were allocated dynamically. If message_type equals value_1, the message is processed accordingly. A similar operation occurs when message_type equals value_2. However, if message_type == value_1 evaluates to true and message_type == value_2 also evaluates to true, then message is freed twice, resulting in a double-free vulnerability.

Code Block

bgColor	#FFcccc
lang	c


char *message;
int message_type;

/* Initialize message and message_type */

if (message_type == value_1) {
  /* Process message type 1 */
  free(message);
}
/* ...*/
if (message_type == value_2) {
   /* Process message type 2 */
  free(message);
}

...

Calling free() on a null pointer results in no action being taken by free(). Setting message to NULL after it has been is freed eliminates the possibility that the message pointer can be used to free the same memory more than once.

Code Block

bgColor	#ccccff
lang	c


char *message;
int message_type;

/* initializeInitialize message and message_type */

if (message_type == value_1) {
  /* Process message type 1 */
  free(message);
  message = NULL;
}
/* ... */
if (message_type == value_2) {
  /* Process message type 2 */
  free(message);
  message = NULL;
}

Exceptions

MEM01-C-EX1: If a nonstatic variable goes out of scope immediately following the free(), it is not necessary to clear its value because it is no longer accessible.

Code Block

bgColor	#ccccff
lang	c


void foo(void) {
  char *str;
  /* ... */
  free(str);
  return;
}

Risk Assessment

Setting pointers to NULL or to another valid value after memory has been memory is freed is a simple and easily implemented solution for reducing dangling pointers. Dangling pointers can result in freeing memory multiple times or in writing to memory that has already been freed. Both of these problems can lead to an attacker executing arbitrary code with the permissions of the vulnerable process.

Recommendation	Severity	Likelihood	Detectable

Remediation Cost

Repairable	Priority	Level
MEM01-C

high

High

Unlikely

unlikely

Yes

low

Yes

P9

L2

Automated Detection

Tool	Version	Checker	Description

Section
Compass/ROSE

Section

Section
Coverity Prevent

Include Page

Astrée

Include Page

	Astrée_V
	Astrée_V

Supported: Astrée reports usage of invalid pointers.

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-MEM01

Fully implemented

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

ALLOC.DF
ALLOC.UAF

Double free
Use after free

Compass/ROSE

Coverity

Include Page

	Coverity_V
	Coverity_V

c:Coverity_Vc:Coverity_Vsection

USE_AFTER_FREE

Sectioncan

Can detect the specific instances where

Memory

memory is deallocated more than once or

Read

read/

Write

written to the target of a freed pointer

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C3005

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

484 S, 112 D

Partially implemented

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-MEM01-a
CERT_C-MEM01-b
CERT_C-MEM01-c
CERT_C-MEM01-d

Do not use resources that have been freed
Always assign a new value to an expression that points to deallocated memory
Always assign a new value to global or member variable that points to deallocated memory
Always assign a new value to parameter or local variable that points to deallocated memory

Parasoft Insure++

Detects dangling pointers at runtime

Polyspace Bug Finder

Include Page