• CodeQL query help documentation »
• CodeQL query help for C and C++ »

Potential double free

ID: cpp/double-free
Kind: path-problem
Security severity: 9.3
Severity: warning
Precision: high
Tags:
   - reliability
   - security
   - external/cwe/cwe-415
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Deallocating memory more than once can lead to a double-free vulnerability. This can be exploited to corrupt the allocator’s internal data structures, which can lead to denial-of-service attacks by crashing the program, or security vulnerabilities, by allowing an attacker to overwrite arbitrary memory locations.

Recommendation

Ensure that all execution paths deallocate the allocated memory at most once. In complex cases it may help to reassign a pointer to a null value after deallocating it. This will prevent double-free vulnerabilities since most deallocation functions will perform a null-pointer check before attempting to deallocate memory.

Example

In the following example, buff is allocated and then freed twice:

int* f() {
	int *buff = malloc(SIZE*sizeof(int));
	do_stuff(buff);
	free(buff);
	int *new_buffer = malloc(SIZE*sizeof(int));
	free(buff); // BAD: If new_buffer is assigned the same address as buff,
              // the memory allocator will free the new buffer memory region,
              // leading to use-after-free problems and memory corruption.
	return new_buffer;
}

Reviewing the code above, the issue can be fixed by simply deleting the additional call to free(buff).

int* f() {
	int *buff = malloc(SIZE*sizeof(int));
	do_stuff(buff);
	free(buff); // GOOD: buff is only freed once.
	int *new_buffer = malloc(SIZE*sizeof(int));
	return new_buffer;
}

In the next example, task may be deleted twice, if an exception occurs inside the try block after the first delete:

void g() {
	MyTask *task = nullptr;

	try
	{
		task = new MyTask;

		...

		delete task;

		...
	} catch (...) {
		delete task; // BAD: potential double-free
	}
}

The problem can be solved by assigning a null value to the pointer after the first delete, as calling delete a second time on the null pointer is harmless.

void g() {
	MyTask *task = nullptr;

	try
	{
		task = new MyTask;

		...

		delete task;
		task = nullptr;

		...
	} catch (...) {
		delete task; // GOOD: harmless if task is NULL
	}
}

References

• OWASP: Doubly freeing memory.

• Common Weakness Enumeration: CWE-415.

• © GitHub, Inc.
• Terms
• Privacy