Memory Management in C
Vulnerabilities, Attacks, and Mitigations |
Prof. David Bernstein
|
Computer Science Department |
bernstdh@jmu.edu |
free()
does not necessarily initialize memory
(for performance reasons)malloc()
does not necessarily initialize memory
(for performance reasons)memset()
to clear memory,
but optimizing compilers may remove this call if the memory
isn't accessed following the writefree()
)memset_s()
(C11)malloc()
to use randomization*
(i.e., the unary derefernce
operator) to an invalid address is undefined (i.e.,
it typically results in a segmentation fault but not always)
NULL
might not crash the program but, instead,
give an attacker the ability to write a value into an
arbitrary location in memorymalloc()
returns
NULL
but the program doesn't check and crashes)
when the pointer is dereferencedfree()
is passed a void*
not a void**
it can't reset the pointer
it is passedfree()
is called multiple times
for the same block of memory (i.e., being passed the same
pointer)create()
and destroy()
functionsNULL
to pointers after calling free (and
remember that there can be multiple pointers to the
same memory)phkmalloc
(which can determine whether a
pointer passed to free()
or realloc()
is valid without dereferencing it)