CodeQL documentation
CodeQL resources

Potential double free

ID: cpp/double-free
Kind: path-problem
Security severity: 9.3
Severity: warning
Precision: high
Tags:
   - reliability
   - security
   - external/cwe/cwe-415
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Deallocating memory more than once can lead to a double-free vulnerability. This can be exploited to corrupt the allocator’s internal data structures, which can lead to denial-of-service attacks by crashing the program, or security vulnerabilities, by allowing an attacker to overwrite arbitrary memory locations.

Recommendation

Ensure that all execution paths deallocate the allocated memory at most once. If possible, reassign the pointer to a null value after deallocating it. This will prevent double-free vulnerabilities since most deallocation functions will perform a null-pointer check before attempting to deallocate the memory.

Example

int* f() {
	int *buff = malloc(SIZE*sizeof(int));
	do_stuff(buff);
	free(buff);
	int *new_buffer = malloc(SIZE*sizeof(int));
	free(buff); // BAD: If new_buffer is assigned the same address as buff,
              // the memory allocator will free the new buffer memory region,
              // leading to use-after-free problems and memory corruption.
	return new_buffer;
}

References

  • © GitHub, Inc.
  • Terms
  • Privacy