What does "double free" mean?

79.3k views Asked by At

As the title suggests I am new to C and have a mid-term coming up shortly. I am revising from past papers currently and a recurring theme is the double free problem. I understand that it is the process of calling free() on the same memory location twice, but I have a couple of questions that I'm not 100% sure how to answer:

Question 1: What is the result of a double free in C, and why is it such a problem?

This will cause a double free:

char* ptr = malloc(sizeof(char));

*ptr = 'a';
free(ptr);
free(ptr);

My response to this would be that it would return a 0x0 memory address and cause a system instability/crash. Also if I remember correctly, a double free can actually call malloc twice which results in a buffer overflow thus leaving the system vulnerable.

What would be the best way to briefly sum up this question?

Question 2: Describe a situation in which it is particularly easy to introduce a double free in C?

I was thinking when passing pointers around you may accidentally free it in one function, and also free it again without realising?

Again, what is the "best" way to sum this up?

4

There are 4 answers

5
templatetypedef On BEST ANSWER

A double free in C, technically speaking, leads to undefined behavior. This means that the program can behave completely arbitrarily and all bets are off about what happens. That's certainly a bad thing to have happen! In practice, double-freeing a block of memory will corrupt the state of the memory manager, which might cause existing blocks of memory to get corrupted or for future allocations to fail in bizarre ways (for example, the same memory getting handed out on two different successive calls of malloc).

Double frees can happen in all sorts of cases. A fairly common one is when multiple different objects all have pointers to one another and start getting cleaned up by calls to free. When this happens, if you aren't careful, you might free the same pointer multiple times when cleaning up the objects. There are lots of other cases as well, though.

Hope this helps!

1
Weather Vane On

This question has been well answered, but I add a late answer due to a "duplicate question" link, which asked "how to avoid it?"

One line is added to the example code posted.

char* ptr = malloc(sizeof(char));

*ptr = 'a';
free(ptr);
ptr = NULL;         // add this
free(ptr);

Function free does nothing with a NULL pointer.

4
ankurgupta7 On

As per published C11 standard, calling free on already free memory location leads to undefined behaviour. It can lead to bizarre situations such as memory not getting allocated even when it's available, heap getting corrupt, same memory location getting allocated to different mallocs etc. Basically, it is undefined and can be anything.

ANSI C11 std can be found here. https://www.iso.org/obp/ui/#iso:std:iso-iec:9899:ed-3:v1:en

EDIT: changed NULL to already freed, based on comments. also, link now points to ISO/IEC 9899:2011(en)

0
zero_yu On

Because free() will consolidate adjacent regions by managing the information stored in the tags before each region. It is something like managing the double linked list. So it would be dangerous if the buffer where ptr is pointing has been overwritten by an attack string, in which fake tags can be injected.