Example 1
The following code shows a simple example of a use after free
error:
(Bad Code)
Example
Language: C
char* ptr = (char*)malloc (SIZE);
if (err) {
}
...
if (abrt) {
logError("operation aborted before commit", ptr);
}
When an error occurs, the pointer is immediately freed. However, this
pointer is later incorrectly used in the logError function.
Example 2
The following code shows a simple example of a double free
error:
(Bad Code)
Example
Language: C
char* ptr = (char*)malloc (SIZE);
...
if (abrt) {
}
...
free(ptr);
Double free vulnerabilities have two common (and sometimes
overlapping) causes:
Although some double free vulnerabilities are not much more
complicated than the previous example, most are spread out across
hundreds of lines of code or even different files. Programmers seem
particularly susceptible to freeing global variables more than
once.
Example 3
In the following C/C++ example the method processMessage is used to
process a message received in the input array of char arrays. The input
message array contains two char arrays: the first is the length of the
message and the second is the body of the message. The length of the message
is retrieved and used to allocate enough memory for a local char array,
messageBody, to be created for the message body. The messageBody is
processed in the method processMessageBody that will return an error if an
error occurs while processing. If an error occurs then the return result
variable is set to indicate an error and the messageBody char array memory
is released using the method free and an error message is sent to the
logError method.
(Bad Code)
Example Languages: C and C++
#define FAIL 0
#define SUCCESS 1
#define ERROR -1
#define MAX_MESSAGE_SIZE 32
int processMessage(char **message)
{
int result = SUCCESS;
int length = getMessageLength(message[0]);
char *messageBody;
if ((length > 0) && (length <
MAX_MESSAGE_SIZE)) {
messageBody = (char*)malloc(length*sizeof(char));
messageBody = &message[1][0];
int success = processMessageBody(messageBody);
if (success == ERROR) {
result = ERROR;
free(messageBody);
}
}
else {
printf("Unable to process message; invalid message
length");
result = FAIL;
}
if (result == ERROR) {
logError("Error processing message", messageBody);
}
return result;
}
However, the call to the method logError includes the messageBody
after the memory for messageBody has been released using the free
method. This can cause unexpected results and may lead to system
crashes. A variable should never be used after its memory resources have
been released.
(Good Code)
Example Languages: C and C++
...
messageBody = (char*)malloc(length*sizeof(char));
messageBody = &message[1][0];
int success = processMessageBody(messageBody);
if (success == ERROR) {
result = ERROR;
logError("Error processing message", messageBody);
free(messageBody);
}
...
Description
