Dynamic memory management is a common source of programming flaws that can lead to security vulnerabilities. Decisions regarding how dynamic memory is allocated, used, and deallocated are the burden of the programmer. Poor memory management can lead to security issues such as heap-buffer overflows, dangling pointers, and double-free issues [Seacord 05]. From the programmer's perspective, memory management involves allocating memory, reading and writing to memory, and deallocating memory.
The following rules and recommendations are designed to reduce the common errors associated with memory management. These guidelines address common misunderstandings and errors in memory management that lead to security vulnerabilities.
These guidelines apply to the following standard memory management routines described in C99 [[ISO/IEC 9899-1999]] Section 7.20.3:
void *malloc(size_t size); void *calloc(size_t nmemb, size_t size); void *realloc(void *ptr, size_t size); void free(void *ptr);
The specific characteristics of these routines are based on the compiler used. With a few exceptions, this document considers only the general and compiler-independent attributes of these routines.
Recommendations
MEM00-A. Allocate and free memory in the same module, at the same level of abstraction
MEM01-A. Store a new value in pointers immediately after free()
MEM03-A. Clear sensitive information stored in reusable resources returned for reuse
MEM04-A. Do not perform zero length allocations
MEM05-A. Avoid large stack allocations
MEM06-A. Ensure that sensitive data is not written out to disk
MEM07-A. Ensure that the arguments to calloc() when multiplied can be represented as a size_t
MEM08-A. Use realloc() only to resize dynamically allocated arrays
MEM09-A. Do not assume memory allocation routines initialize memory
Rules
MEM30-C. Do not access freed memory
MEM31-C. Free dynamically allocated memory exactly once
MEM32-C. Detect and handle memory allocation errors
MEM33-C. Use the correct syntax for flexible array members
MEM34-C. Only free memory allocated dynamically
MEM35-C. Allocate sufficient memory for an object
MEM36-C. Do not store an address into an object with a longer lifetime
Risk Assessment Summary
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MEM00-A |
High |
Probable |
Medium |
P12 |
L1 |
MEM01-A |
High |
Probable |
Low |
P18 |
L1 |
MEM02-A |
Low |
Unlikely |
Low |
P3 |
L3 |
MEM03-A |
Medium |
Unlikely |
Low |
P6 |
L2 |
MEM04-A |
High |
Probable |
Medium |
P12 |
L1 |
MEM05-A |
Low |
Unlikely |
Medium |
P2 |
L3 |
MEM06-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
MEM07-A |
High |
Unlikely |
High |
P3 |
L3 |
MEM08-A |
Medium |
Unlikely |
Medium |
P4 |
L3 |
MEM09-A |
Medium |
Unlikely |
Low |
P6 |
L2 |
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MEM30-C |
High |
Likely |
Medium |
P18 |
L1 |
MEM31-C |
High |
Probable |
Medium |
P12 |
L1 |
MEM32-C |
Low |
Likely |
Medium |
P6 |
L2 |
MEM33-C |
Low |
Unlikely |
Low |
P3 |
L3 |
MEM34-C |
Low |
Unlikely |
Medium |
P2 |
L3 |
MEM35-C |
High |
Probable |
High |
P6 |
L2 |
MEM36-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
Related Rules and Recommendations
References
[[ISO/IEC 9899-1999]] Section 7.20.3, "Memory management functions"
[[Seacord 05]] Chapter 4, "Dynamic Memory Management"
STR35-C. Do not copy data from an unbounded source to a fixed-length array 07. Characters and Strings (STR)