Incorrect Use of Free Detection
Detection Workflow
- •Identify free operations: Find all free() calls, locate delete/delete[] calls, map deallocation points, note pointers being freed
- •Trace pointer origins: Find where pointers originate, identify allocation method, track pointer assignments, assess pointer validity
- •Analyze memory type: Verify pointer points to heap memory, check for stack variables, identify static/global variables, assess pointer validity
- •Assess impact: Can incorrect free cause crash? Can it cause heap corruption? What's the security impact? Is it exploitable?
Key Patterns
- •Freeing non-heap memory: free() on stack variables, free() on static/global variables, free() on string literals, free() on automatic storage
- •Freeing invalid pointers: free() on NULL pointer, free() on already-freed memory, free() on uninitialized pointers, free() on middle of allocations
- •Mismatched allocators: free() on new-allocated memory, delete on malloc-allocated memory, cross-allocator deallocation, mixed C/C++ memory management
- •Double free patterns: multiple free() on same pointer, free() in multiple code paths, free() in error handling, free() in cleanup functions
Output Format
Report with: id, type, subtype, severity, confidence, location, vulnerability, freed_pointer, pointer_type, allocation_type, free_operation, exploitable, attack_scenario, impact, mitigation.
Severity Guidelines
- •HIGH: Incorrect free causing heap corruption
- •MEDIUM: Incorrect free causing crashes
- •LOW: Incorrect free with limited impact
See Also
- •
patterns.md- Detailed detection patterns and exploitation scenarios - •
examples.md- Example analysis cases and code samples - •
references.md- CWE references and mitigation strategies