Accessing memory once it is freed may corrupt the data structures used to manage the heap. References to memory that has been deallocated are referred to as dangling pointers. Accessing a dangling pointer can lead to security vulnerabilities.
When memory is freed, its contents may remain intact and accessible. This is because it is at the memory manager's discretion when to reallocate or recycle the freed chunk. The data at the freed location may appear valid. However, this can change unexpectedly, leading to unintended program behavior. As a result, it is necessary to guarantee that memory is not written to or read from once it is freed.
This example from Kernighan & Ritchie \[[Kernighan 88|AA. C References#Kernighan 88]\] illustrates both the incorrect and correct techniques for deleting items from a linked list. The incorrect solution, clearly marked as wrong in the book, is bad because {{p}} is freed before the {{p->next}} is executed, so {{p->next}} reads memory that has already been freed. |
for (p = head; p != NULL; p = p->next) /* WRONG */
free(p);
|
Kernighan & Ritchie also show the correct solution. To correct this error, a reference to p->next is stored in q before freeing p.
for (p = head; p != NULL; p = q) {
q = p->next;
free(p);
}
head = NULL;
|
In this example, buff is written to after it has been freed. These vulnerabilities can be relatively easily exploited to run arbitrary code with the permissions of the vulnerable process and are seldom this obvious. Typically, allocations and frees are far removed making it difficult to recognize and diagnose these problems.
int main(int argc, char *argv[]) {
char *buff;
buff = (char *)malloc(BUFSIZE);
if (!buff) {
/* handle error condition */
}
/* ... */
free(buff);
/* ... */
strncpy(buff, argv[1], BUFSIZE-1);
}
|
Do not free the memory until it is no longer required.
int main(int argc, char *argv[]) {
char *buff;
buff = (char *)malloc(BUFSIZE);
if (!buff) {
/* handle error condition */
}
/* ... */
strncpy(buff, argv[1], BUFSIZE-1);
/* ... */
free(buff);
}
|
Reading memory that has already been freed can lead to abnormal program termination and denial-of-service attacks. Writing memory that has already been freed can lead to the execution of arbitrary code with the permissions of the vulnerable process.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MEM30-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
The LDRA tool suite V 7.6.0 is able to detect violations of this rule.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.3.2, "The free function" \[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management" \[[Kernighan 88|AA. C References#Kernighan 88]\] Section 7.8.5, "Storage Management" OWASP, [Using freed memory|http://www.owasp.org/index.php/Using_freed_memory] \[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 416|http://cwe.mitre.org/data/definitions/416.html], "Use After Free" \[[Viega 05|AA. C References#Viega 05]\] Section 5.2.19, "Using freed memory" |
MEM09-A. Do not assume memory allocation routines initialize memory 08. Memory Management (MEM) MEM31-C. Free dynamically allocated memory exactly once