MEM34-C. Only free memory allocated dynamically

As noted in undefined behavior 179 of Annex J of the C Standard [ISO/IEC 9899:2011], the behavior of a program is undefined when

the pointer argument to the free or realloc function does not match a pointer earlier returned by a memory management function, or the space has been deallocated by a call to free or realloc.

Freeing memory that is not allocated dynamically can lead to serious errors similar to those discussed in MEM31-C. Free dynamically allocated memory exactly once. The consequences of this error depend on the implementation, but they range from nothing to abnormal program termination. Regardless of the implementation, avoid calling free() on anything other than a pointer returned by a dynamic memory allocation function, such as malloc(), calloc(), realloc(), or aligned_alloc.

A similar situation arises when realloc() is supplied a pointer to nondynamically allocated memory. The realloc() function is used to resize a block of dynamic memory. If realloc() is supplied a pointer to memory not allocated by a memory allocation function, such as malloc(), the program may terminate abnormally.

Noncompliant Code Example

This noncompliant code example sets str to reference either dynamically allocated memory or a statically allocated string literal depending on the value of argc. In either case, str is passed as an argument to free(). If anything other than dynamically allocated memory is referenced by str, the call to free(str) is erroneous.

enum { MAX_ALLOCATION = 1000 };

int main(int argc, const char *argv[]) {
  char *str = NULL;
  size_t len;

  if (argc == 2) {
    len = strlen(argv[1])+1;
    if (len > MAX_ALLOCATION) {
      /* Handle error */
    }
    str = (char *)malloc(len);
    if (str == NULL) {
      /* Handle allocation error */
    }
    strcpy(str, argv[1]);
  }
  else {
    str = "usage: $>a.exe [string]";
    printf("%s\n", str);
  }
  /* ... */
  free(str);
  return 0;
}

Compliant Solution

This compliant solution eliminates the possibility of str, referencing nondynamic memory when it is supplied to free().

enum { MAX_ALLOCATION = 1000 };

int main(int argc, const char *argv[]) {
  char *str = NULL;
  size_t len;

  if (argc == 2) {
    len = strlen(argv[1])+1;
    if (len > MAX_ALLOCATION) {
      /* Handle error */
    }
    str = (char *)malloc(len);
    if (str == NULL) {
      /* Handle allocation error */
    }
    strcpy(str, argv[1]);
  }
  else {
    printf("%s\n", "usage: $>a.exe [string]");
    return -1;
  }
  /* ... */
  free(str);
  return 0;
}

Noncompliant Code Example (realloc())

In this noncompliant example, the pointer parameter to realloc(), buf, does not refer to dynamically allocated memory.

#define BUFSIZE 256
 
void f(void) {
  char buf[BUFSIZE];
  char *p;
  /* ... */
  p = (char *)realloc(buf, 2 * BUFSIZE);  /* violation */
  /* ... */
}

Compliant Solution(realloc())

In this compliant solution, buf refers to dynamically allocated memory.

#define BUFSIZE 256
 
void f(void) {
  char *buf = (char *)malloc(BUFSIZE * sizeof(char));
  char *p;
  /* ... */
  p = (char *)realloc(buf, 2 * BUFSIZE);  /* violation */
  /* ... */
}

Exceptions

MEM34-EX1: Some library implementations accept and ignore a deallocation of non-allocated memory (or, alternatively, cause a runtime-constraint violation). If all libraries used by a project have been validated as having this behavior, then this rule can be ignored.

Risk Assessment

Freeing or reallocating memory that was not dynamically allocated can lead to arbitrary code execution if that memory is reused by malloc().

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography