Recommendation¶

Ensure that all execution paths deallocate the allocated memory at most once. In complex cases it may help to reassign a pointer to a null value after deallocating it. This will prevent double-free vulnerabilities since most deallocation functions will perform a null-pointer check before attempting to deallocate memory.

Example¶

In the following example,buff is allocated and then freed twice:

int*f(){int*buff=malloc(SIZE*sizeof(int));do_stuff(buff);free(buff);int*new_buffer=malloc(SIZE*sizeof(int));free(buff);// BAD: If new_buffer is assigned the same address as buff,// the memory allocator will free the new buffer memory region,// leading to use-after-free problems and memory corruption.returnnew_buffer;}

Reviewing the code above, the issue can be fixed by simply deleting the additional call tofree(buff).

int*f(){int*buff=malloc(SIZE*sizeof(int));do_stuff(buff);free(buff);// GOOD: buff is only freed once.int*new_buffer=malloc(SIZE*sizeof(int));returnnew_buffer;}

In the next example,task may be deleted twice, if an exception occurs inside thetry block after the firstdelete:

voidg(){MyTask*task=nullptr;try{task=newMyTask;...deletetask;...}catch(...){deletetask;// BAD: potential double-free}}

The problem can be solved by assigning a null value to the pointer after the firstdelete, as callingdelete a second time on the null pointer is harmless.

voidg(){MyTask*task=nullptr;try{task=newMyTask;...deletetask;task=nullptr;...}catch(...){deletetask;// GOOD: harmless if task is NULL}}

References¶

• OWASP:Doubly freeing memory.

• Common Weakness Enumeration:CWE-415.