Freeing memory multiple times has similar consequences to accessing memory after it is freed. The underlying data structures that manage the heap can become corrupted in a way that could introduce security vulnerabilities into a program. These types of issues are referred to as double-free vulnerabilities. In practice, double-free vulnerabilities can be exploited to execute arbitrary code. VU#623332, which describes a double-free vulnerability in the MIT Kerberos 5 function krb5_recvauth(), is one example.
To eliminate double-free vulnerabilities, it is necessary to guarantee that dynamic memory is freed exactly one time. Programmers should be wary when freeing memory in a loop or conditional statement; if coded incorrectly, these constructs can lead to double-free vulnerabilities. It is also a common error to misuse the {{realloc()}} function in a manner that results in double-free vulnerabilities (see \[[MEM04-A. Do not perform zero length allocations]\]). |
In this example, the memory referred to by x may be freed twice: once if error_condition is true and again at the end of the code.
x = (int *)malloc (number * sizeof(int));
if (x == NULL) {
/* Handle Allocation Error */
}
/* ... */
if (error_condition == 1) {
/* Handle Error Condition*/
free(x);
}
/* ... */
free(x);
|
Only free a pointer to dynamic memory referred to by x once. This is accomplished by removing the call to free() in the section of code executed when error_condition is true.
if (number > SIZE_MAX/sizeof(int)) {
/* handle overflow */
}
x = (int *)malloc(number * sizeof(int));
if (x == NULL) {
/* Handle Allocation Error */
}
/* ... */
if (error_condition == 1) {
/* Handle Error Condition*/
}
/* ... */
free(x);
x = NULL;
|
Note that this solution checks for numeric overflow \[[INT32-C. Ensure that operations on signed integers do not result in overflow]\]. |
Freeing memory multiple times can result in an attacker executing arbitrary code with the permissions of the vulnerable process.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MEM31-C |
high |
probable |
medium |
P12 |
L1 |
The LDRA tool suite V 7.6.0 is able to detect violations of this rule.
The Fortify Source Code Analysis Suite Double Free detects instances of memory being freed more than once.
The Coverity Prevent RESOURCE_LEAK finds resource leaks from variables that go out of scope while owning a resource. Coverity Prevent cannot discover all violations of this rule so further verification is necessary.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[VU#623332|AA. C References#VU623332]\] \[[MIT 05|AA. C References#MIT 05]\] \[[OWASP, Double Free|AA. C References#OWASP Double Free]\] \[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 415|http://cwe.mitre.org/data/definitions/415.html], "Double Free" \[[Viega 05|AA. C References#Viega 05]\] "Doubly freeing memory" |
08. Memory Management (MEM) MEM32-C. Detect and handle memory allocation errors