Free of Memory not on the Heap
The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
When free() is called on an invalid pointer, the program's memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an attacker may be able to cause free() to operate on controllable memory locations to modify critical program variables or execute code.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
In this example, an array of record_t structs, bar, is allocated automatically on the stack as a local variable and the programmer attempts to call free() on the array. The consequences will vary based on the implementation of free(), but it will not succeed in deallocating the memory.
This example shows the array allocated globally, as part of the data segment of memory and the programmer attempts to call free() on the array.
Instead, if the programmer wanted to dynamically manage the memory, malloc() or calloc() should have been used.
Additionally, you can pass global variables to free() when they are pointers to dynamically allocated memory.
Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12).
This view (slice) covers all the elements in CWE.
This view (slice) lists weaknesses that can be introduced during implementation.