mirror of
https://github.com/github/codeql.git
synced 2026-02-16 06:53:41 +01:00
53 lines
1.6 KiB
XML
53 lines
1.6 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
|
|
<overview>
|
|
<p>
|
|
Deallocating memory more than once can lead to a double-free vulnerability. This can be exploited to
|
|
corrupt the allocator's internal data structures, which can lead to denial-of-service attacks by crashing
|
|
the program, or security vulnerabilities, by allowing an attacker to overwrite arbitrary memory locations.
|
|
</p>
|
|
|
|
</overview>
|
|
<recommendation>
|
|
<p>
|
|
Ensure that all execution paths deallocate the allocated memory at most once. In complex cases it may
|
|
help to reassign a pointer to a null value after deallocating it. This will prevent double-free vulnerabilities
|
|
since most deallocation functions will perform a null-pointer check before attempting to deallocate memory.
|
|
</p>
|
|
|
|
</recommendation>
|
|
<example>
|
|
<p>
|
|
In the following example, <code>buff</code> is allocated and then freed twice:
|
|
</p>
|
|
<sample src="DoubleFreeBad.cpp" />
|
|
<p>
|
|
Reviewing the code above, the issue can be fixed by simply deleting the additional call to
|
|
<code>free(buff)</code>.
|
|
</p>
|
|
<sample src="DoubleFreeGood.cpp" />
|
|
<p>
|
|
In the next example, <code>task</code> may be deleted twice, if an exception occurs inside the <code>try</code>
|
|
block after the first <code>delete</code>:
|
|
</p>
|
|
<sample src="DoubleFreeBad2.cpp" />
|
|
<p>
|
|
The problem can be solved by assigning a null value to the pointer after the first <code>delete</code>, as
|
|
calling <code>delete</code> a second time on the null pointer is harmless.
|
|
</p>
|
|
<sample src="DoubleFreeGood2.cpp" />
|
|
</example>
|
|
<references>
|
|
|
|
<li>
|
|
OWASP:
|
|
<a href="https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory">Doubly freeing memory</a>.
|
|
</li>
|
|
|
|
</references>
|
|
</qhelp>
|