Calling free()
twice on the same memory address can lead to a buffer overflow.
Double free errors occur when free()
is called more than once with the same memory address as an argument.
Calling free()
twice on the same value can lead to a buffer overflow. When a program calls free()
twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc()
to return the same pointer. If malloc()
returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.
Example 1: The following code shows a simple example of a double free vulnerability.
char* ptr = (char*)malloc (SIZE);
...
if (abrt) {
free(ptr);
}
...
free(ptr);
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3590.1 CAT I
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 415
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.2
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.5
[6] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons