Difference between revisions of "Double Free"

Jump to: navigation, search
m (Remove Java category (free doesnt exist in Java))
Line 44: Line 44:
[[Category:Code Quality Vulnerability]]
[[Category:Code Quality Vulnerability]]
[[Category:Code Snippet]]
[[Category:Code Snippet]]

Revision as of 11:12, 3 January 2007

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by Fortify.JPG.


Calling free() twice on the same memory address can lead to a buffer overflow.


Double free errors occur when free() is called more than once with the same memory address as an argument.

Calling free() twice on the same value can lead to a buffer overflow. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.


The following code shows a simple example of a double free vulnerability.

	char* ptr = (char*)malloc (SIZE);
	if (abrt) {

Double free vulnerabilities have two common (and sometimes overlapping) causes:

  • Error conditions and other exceptional circumstances
  • Confusion over which part of the program is responsible for freeing the memory

Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures