Free of Pointer not at Start of Buffer| ID: 761 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
The application calls free() on a pointer to a memory resource
that was allocated on the heap, but the pointer is not at the start of the
buffer.
Extended DescriptionThis can cause the application to crash, or in some cases, modify critical
program variables or execute code.This weakness often occurs when the memory is allocated explicitly on the
heap with one of the malloc() family functions and free() is called, but
pointer arithmetic has caused the pointer to be in the interior or end of
the buffer.
Applicable PlatformsNone
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityAvailabilityConfidentiality | Modify memoryDoS: crash / exit /
restartExecute unauthorized code or
commands | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | When utilizing pointer arithmetic to traverse a buffer, use a separate
variable to track progress through memory and preserve the originally
allocated address for later freeing. | | |
| Implementation | | When programming in C++, consider using smart pointers provided by the
boost library to help correctly and consistently manage memory. | | |
| Architecture and DesignImplementationOperation | Libraries or Frameworks | Use a vetted library or framework that does not allow this weakness to
occur or provides constructs that make this weakness easier to
avoid.For example, glibc in Linux provides protection against free of
invalid pointers. | | |
| Architecture and Design | | Use a language that provides abstractions for memory allocation and
deallocation. | | |
| Testing | | Use a tool that dynamically detects memory management problems, such
as valgrind. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-761 ChildOf CWE-891 | Category | CWE-888 | |
Demonstrative Examples (Details)
- Consider the following code in the context of a parsing application
to extract commands out of user data. The intent is to parse each command
and add it to a queue of commands to be executed, discarding each malformed
entry. (Demonstrative Example Id DX-79)
- In this example, the programmer dynamically allocates a buffer to
hold a string and then searches for a specific character. After completing
the search, the programmer attempts to release the allocated memory and
return SUCCESS or FAILURE to the caller. Note: for simplification, this
example uses a hard-coded "Search Me!" string and a constant string length
of 20. (Demonstrative Example Id DX-77)
- This code attempts to tokenize a string and place it into an array
using the strsep function, which inserts a \0 byte in place of whitespace or
a tab character. After finishing the loop, each string in the AP array
points to a location within the input string. (Demonstrative Example Id DX-78)
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- .boost C++ Library Smart Pointers.
- .Valgrind.
