Dangling pointers can lead to exploitable double-free and access-freed-memory vulnerabilities. A simple yet effective way to eliminate dangling pointers and avoid many memory-related vulnerabilities is to set pointers to
NULL after they are freed or to set them to another valid object.
Noncompliant Code Example
In this noncompliant code example, the type of a message is used to determine how to process the message itself. It is assumed that
message_type is an integer and
message is a pointer to an array of characters that were allocated dynamically. If
value_1, the message is processed accordingly. A similar operation occurs when
value_2. However, if
message_type == value_1 evaluates to true and
message_type == value_2 also evaluates to true, then
message is freed twice, resulting in a double-free vulnerability.
free() on a null pointer results in no action being taken by
NULL after it is freed eliminates the possibility that the
message pointer can be used to free the same memory more than once.
MEM01-C-EX1: If a nonstatic variable goes out of scope immediately following the
free(), it is not necessary to clear its value because it is no longer accessible.
Setting pointers to
NULL or to another valid value after memory is freed is a simple and easily implemented solution for reducing dangling pointers. Dangling pointers can result in freeing memory multiple times or in writing to memory that has already been freed. Both of these problems can lead to an attacker executing arbitrary code with the permissions of the vulnerable process.
|Supported: Astrée reports usage of invalid pointers.|
|Axivion Bauhaus Suite|
Can detect the specific instances where memory is deallocated more than once or read/written to the target of a freed pointer
|LDRA tool suite|
|484 S, 112 D||Partially implemented|
Do not use resources that have been freed
|Parasoft Insure++||Detects dangling pointers at runtime|
|CERT C: Rec. MEM01-C||Checks for missing reset of a freed pointer (rec. fully covered)|
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
|SEI CERT C++ Coding Standard||VOID MEM01-CPP. Store a valid value in pointers immediately after deallocation|
|ISO/IEC TR 24772:2013||Dangling References to Stack Frames [DCM]|
Dangling Reference to Heap [XYK]
Off-by-one Error [XZH]
|MITRE CWE||CWE-415, Double free|
CWE-416, Use after free