08. Memory Management (MEM)

Dynamic memory management is a common source of programming flaws that can lead to security vulnerabilities. Decisions regarding how dynamic memory is allocated, used, and deallocated are the burden of the programmer. Poor memory management can lead to security issues such as heap-buffer overflows, dangling pointers, and double-free issues [Seacord 05]. From the programmer's perspective, memory management involves allocating memory, reading and writing to memory, and deallocating memory.

The following rules and recommendations are designed to reduce the common errors associated with memory management. These guidelines address common misunderstandings and errors in memory management that lead to security vulnerabilities.

These guidelines apply to the following standard memory management routines described in C99 Section 7.20.3:

void *malloc(size_t size);

void *calloc(size_t nmemb, size_t size);

void *realloc(void *ptr, size_t size);

void free(void *ptr);

The specific characteristics of these routines are based on the compiler used. With a few exceptions, this document considers only the general and compiler-independent attributes of these routines.

Recommendations

MEM00-A. Allocate and free memory in the same module, at the same level of abstraction

MEM01-A. Store a new value in pointers immediately after free()

MEM02-A. Immediately cast the result of a memory allocation function call into a pointer to the allocated type

MEM03-A. Clear sensitive information stored in reusable resources returned for reuse

MEM04-A. Do not make assumptions about the result of allocating 0 bytes

MEM05-A. Avoid large stack allocations

MEM06-A. Ensure that sensitive data is not written out to disk

MEM07-A. Ensure that size arguments to calloc() do not result in an integer overflow

MEM08-A. Use realloc() only to resize dynamically allocated arrays

MEM09-A. Do not assume memory allocation routines initialize memory

Rules

MEM30-C. Do not access freed memory

MEM31-C. Free dynamically allocated memory exactly once

MEM32-C. Detect and handle critical memory allocation errors

MEM33-C. Use the correct syntax for flexible array members

MEM34-C. Only free memory allocated dynamically

MEM35-C. Allocate sufficient memory for an object

Risk Assessment Summary

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
MEM00-A	3 (high)	2 (probable)	2 (high)	P12	L1
MEM01-A	3 (high)	2 (probable)	3 (low)	P18	L1
MEM02-A	1 (low)	1 (unlikely)	3 (low)	P3	L3
MEM03-A	2 (medium)	1 (unlikely)	3 (low)	P6	L2
MEM04-A	3 (high)	2 (probable)	2 (medium)	P12	L1
MEM05-A	1 (low)	1 (unlikely)	2 (medium)	P2	L3
MEM07-A	3 (high)	1 (unlikely)	1 (high)	P3	L3

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
MEM30-C	3 (high)	3 (likely)	2 (medium)	P18	L1
MEM31-C	3 (high)	2 (probable)	2 (medium)	P12	L1
MEM32-C	1 (low)	3 (likely)	2 (medium)	P6	L2
MEM33-C	1 (low)	1 (unlikely)	3 (low)	P3	L3
MEM34-C	1 (low)	1 (unlikely)	2 (medium)	P2	L3
MEM35-C	3 (high)	2 (probable)	1 (high)	P6	L2

Related Rules and Recommendations

EXP33-C. Do not read uninitialized memory

EXP34-C. Do not dereference null pointers

INT01-C. Use size_t or rsize_t for all integer values representing the size of an object

STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator

References

[[ISO/IEC 9899-1999]] Section 7.20.3, "Memory management functions"
[[Seacord 05]] Chapter 4, "Dynamic Memory Management"

STR35-C. Do not copy data from an unbounded source to a fixed-length array 07. Characters and Strings (STR)

Space shortcuts

Page tree

Recommendations

Rules

Risk Assessment Summary

Related Rules and Recommendations

References