Double Free Bugs and Dangling Pointer Bugs in C
by : ev1lut10n (A Chinese Man lives in Indonesia)
'Even experienced programmers still makes bug because he's human'
There are some c programming bugs, here are some of them
[Double Free Bug]
this double free bug happens when we calle free more than once after we
use a memory allocation
(if u calle more than 2 free this is gonna buffer overflow)
ex of wrong code:
============
/**made by ev1lut10n**/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int main(int argc,char *argv[])
{
if (fork()!= 0)
{
exit(1);
}
fprintf(stdout,"\nYour argument is %s",argv[1]);
char *bufer = (char *)malloc(sizeof(argv[1]));
fprintf(stdout,"\nWe make first free after this\n");
free(bufer);
fprintf(stdout,"\nWe make our second free after this caused double
free\n");
free(bufer);
return(0);
}
==============
from the above c code we see the programmer free the buffer more than once
after malloc:
char *bufer = (char *)malloc(sizeof(argv[1])); ---------- here he use
malloc to allocate heap
after that he use free(bufer); and below he use it once again free(bufer);
even experienced C programmers sometimes still makes this mistake
GNU C Library heap protector
===============
root@mywisdom-Vostro1310:/home/mywisdom/www/artikel/bugs# ./df
Your argument is (null)
We make first free after this
We make our second free after this caused double free
*** glibc detected *** ./df: double free or corruption (fasttop):
0x08186008 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6c501)[0x981501]
/lib/libc.so.6(+0x6dd70)[0x982d70]
/lib/libc.so.6(cfree+0x6d)[0x985e5d]
./df[0x804858c]
/lib/libc.so.6(__libc_start_main+0xe7)[0x92bce7]
./df[0x8048441]
======= Memory map: ========
0081f000-0083b000 r-xp 00000000 08:02 131093 /lib/ld-2.12.1.so
0083b000-0083c000 r--p 0001b000 08:02 131093 /lib/ld-2.12.1.so
0083c000-0083d000 rw-p 0001c000 08:02 131093 /lib/ld-2.12.1.so
008c2000-008dc000 r-xp 00000000 08:02 131151 /lib/libgcc_s.so.1
008dc000-008dd000 r--p 00019000 08:02 131151 /lib/libgcc_s.so.1
008dd000-008de000 rw-p 0001a000 08:02 131151 /lib/libgcc_s.so.1
00915000-00a6c000 r-xp 00000000 08:02 131117 /lib/libc-2.12.1.so
00a6c000-00a6d000 ---p 00157000 08:02 131117 /lib/libc-2.12.1.so
00a6d000-00a6f000 r--p 00157000 08:02 131117 /lib/libc-2.12.1.so
00a6f000-00a70000 rw-p 00159000 08:02 131117 /lib/libc-2.12.1.so
00a70000-00a73000 rw-p 00000000 00:00 0
00c0a000-00c0b000 r-xp 00000000 00:00 0 [vdso]
08048000-08049000 r-xp 00000000 08:02 2110585
/home/mywisdom/public_html/artikel/bugs/df
08049000-0804a000 r--p 00000000 08:02 2110585
/home/mywisdom/public_html/artikel/bugs/df
0804a000-0804b000 rw-p 00001000 08:02 2110585
/home/mywisdom/public_html/artikel/bugs/df
08186000-081a7000 rw-p 00000000 00:00 0 [heap]
b7700000-b7721000 rw-p 00000000 00:00 0
b7721000-b7800000 ---p 00000000 00:00 0
b788e000-b788f000 rw-p 00000000 00:00 0
b78a1000-b78a4000 rw-p 00000000 00:00 0
bf9e4000-bfa05000 rw-p 00000000 00:00 0 [stack]
===============================
example of correct C code:
========
/**made by ev1lut10n**/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int main(int argc,char *argv[])
{
if (fork()!= 0)
{
exit(1);
}
fprintf(stdout,"\nYour argument is %s",argv[1]);
char *bufer = (char *)malloc(sizeof(argv[1]));
fprintf(stdout,"\nWe make first free after this\n");
free(bufer);
return(0);
}
=============
[Dangling Pointers]
This happens when we delete an object from memory, the associated pointer
still points to the memory address of that object
sample of dangling pointer (taken from internet)
===========
#include<stdio.h>
int *call();
void main()
{
int *ptr;
ptr=call();
fflush(stdin);
printf("%d",*ptr);
}
int * call()
{
int x=25;
++x;
return &x;
}
==============
from the above sample we create a pointer
int *ptr;
then the &pointer is filled by return value of function: call()
then it's followed by fflush(stdin), as we know fflush return value is 0
this is just the same as ptr=NULL;
after that the ptr becomes dangling pointer and shouldnt be used for next
code, unfortunetly
it's followed by : printf("%d",*ptr);
it becomes a dangling pointer buggy code.
the correct one should be without fflush
===========
#include<stdio.h>
int *call();
void main()
{
int *ptr;
ptr=call();
printf("%d",*ptr);
}
int * call()
{
int x=25;
++x;
return &x;
}
==============