Freeing memory multiple times has similar consequences to accessing memory after it is freed. The underlying data structures that manage the heap can become corrupted in a way that could introduce security vulnerabilities into a program. These types of issues are referred to as double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth(), is one example. To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed exactly one time. Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities.

Non-Compliant Code Example

In this example, the memory referred to by x may be freed twice: once if error_condition is true and again at the end of the code.

x = malloc (number * sizeof(int));
if (x == NULL) {
  /* Handle Allocation Error */
}
/* ... */
if (error_conditon == 1) {
  /* Handle Error Condition*/
  free(x);
}
/* ... */
free(x);

Compliant Solution

Only free a pointer to dynamic memory referred to by x once. This is accomplished by removing the call to free() in the section of code executed when error_condition is true.

x = malloc (number * sizeof(int));
if (x == NULL) {
  /* Handle Allocation Error */
}
/* ... */
if (error_conditon == 1) {
  /* Handle Error Condition*/
}
/* ... */
free(x);

Risk Assessment

Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.

Examples of vulnerabilities resulting from the violation of this rule can be found on the CERTwebsite.

References

\[[VU#623332|AA. C References#VU623332]\]
\[[MIT 05|AA. C References#MIT 05]\]
OWASP, [Double Free|http://www.owasp.org/index.php/Double_Free]
\[[Viega 05|AA. C References#Viega 05]\] "Doubly freeing memory"