Double Free Bugs and Dangling Pointer Bugs in C

by : ev1lut10n (A Chinese Man lives in Indonesia)
'Even experienced programmers still makes bug because he's human'

There are some c programming bugs, here are some of them

[Double Free Bug]

this double free bug happens when we calle free more than once after we
use a memory allocation
(if u calle more than 2 free this is gonna buffer overflow)

ex of wrong code:
============
/**made by ev1lut10n**/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int main(int argc,char *argv[])
{
if (fork()!= 0)
{
exit(1);
}
fprintf(stdout,"\nYour argument is %s",argv[1]);
char *bufer = (char *)malloc(sizeof(argv[1]));
fprintf(stdout,"\nWe make first free after this\n");
free(bufer);
fprintf(stdout,"\nWe make our second free after this caused double
free\n");
free(bufer);
return(0);
}
==============

from the above c code we see the programmer free the buffer more than once
after malloc:
char *bufer = (char *)malloc(sizeof(argv[1])); ---------- here he use
malloc to allocate heap

after that he use free(bufer); and below he use it once again free(bufer);

even experienced C programmers sometimes still makes this mistake
GNU C Library heap protector
===============
root@mywisdom-Vostro1310:/home/mywisdom/www/artikel/bugs# ./df

Your argument is (null)
We make first free after this

We make our second free after this caused double free
*** glibc detected *** ./df: double free or corruption (fasttop):
0x08186008 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6c501)[0x981501]
/lib/libc.so.6(+0x6dd70)[0x982d70]
/lib/libc.so.6(cfree+0x6d)[0x985e5d]
/df[0x804858c]
/lib/libc.so.6(__libc_start_main+0xe7)[0x92bce7]
/df[0x8048441]
======= Memory map: ========
0081f000-0083b000 r-xp 00000000 08:02 131093     /lib/ld-2.12.1.so
0083b000-0083c000 r--p 0001b000 08:02 131093     /lib/ld-2.12.1.so
0083c000-0083d000 rw-p 0001c000 08:02 131093     /lib/ld-2.12.1.so
008c2000-008dc000 r-xp 00000000 08:02 131151     /lib/libgcc_s.so.1
008dc000-008dd000 r--p 00019000 08:02 131151     /lib/libgcc_s.so.1
008dd000-008de000 rw-p 0001a000 08:02 131151     /lib/libgcc_s.so.1
00915000-00a6c000 r-xp 00000000 08:02 131117     /lib/libc-2.12.1.so
00a6c000-00a6d000 ---p 00157000 08:02 131117     /lib/libc-2.12.1.so
00a6d000-00a6f000 r--p 00157000 08:02 131117     /lib/libc-2.12.1.so
00a6f000-00a70000 rw-p 00159000 08:02 131117     /lib/libc-2.12.1.so
00a70000-00a73000 rw-p 00000000 00:00 0
00c0a000-00c0b000 r-xp 00000000 00:00 0          [vdso]
08048000-08049000 r-xp 00000000 08:02 2110585
/home/mywisdom/public_html/artikel/bugs/df
08049000-0804a000 r--p 00000000 08:02 2110585
/home/mywisdom/public_html/artikel/bugs/df
0804a000-0804b000 rw-p 00001000 08:02 2110585
/home/mywisdom/public_html/artikel/bugs/df
08186000-081a7000 rw-p 00000000 00:00 0          [heap]
b7700000-b7721000 rw-p 00000000 00:00 0
b7721000-b7800000 ---p 00000000 00:00 0
b788e000-b788f000 rw-p 00000000 00:00 0
b78a1000-b78a4000 rw-p 00000000 00:00 0
bf9e4000-bfa05000 rw-p 00000000 00:00 0          [stack]
===============================


example  of correct C code:
========
/**made by ev1lut10n**/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int main(int argc,char *argv[])
{
if (fork()!= 0)
{
exit(1);
}
fprintf(stdout,"\nYour argument is %s",argv[1]);
char *bufer = (char *)malloc(sizeof(argv[1]));
fprintf(stdout,"\nWe make first free after this\n");
free(bufer);
return(0);
}
=============

[Dangling Pointers]

This happens when we delete an object from memory, the associated pointer
still points to the memory address of that object

sample of dangling pointer (taken from internet)
===========
#include<stdio.h>

int *call();
void main()
{
int *ptr;
ptr=call();
fflush(stdin);
printf("%d",*ptr);
}
int * call()
{
int x=25;
++x;
return &x;
}
==============
from the above sample we create a pointer

int *ptr;

then the &pointer is filled by return value of function: call()
then it's followed by fflush(stdin), as we know fflush return value is 0
this is just the same as ptr=NULL;
after that the ptr becomes dangling pointer and shouldnt be used for next
code, unfortunetly
it's followed by : printf("%d",*ptr);
it becomes a dangling pointer buggy code.

the correct one should be without fflush
===========
#include<stdio.h>

int *call();
void main()
{
int *ptr;
ptr=call();
printf("%d",*ptr);
}
int * call()
{
int x=25;
++x;
return &x;
}
==============

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.