Double NULL(*ing) in C

Question

While I was doing my assignment I came across an issue. I know that double freeing cause undefined behavior.

When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.

CWE-415: Double Free

However, while fuzzing I encountered double NULL(set NULL twice(one after another) for one variable) where pointer was NULL(ed) twice. Is that same with double freeing and cause undefined behaviour?

e.g.

int *p;
p = (int*)malloc(10*sizeof(int));
p = NULL;
p = NULL; (**seconds time)**

You can set a pointer to NULL as many times as you like... it's not really clear what you are asking, could you show an example? — Lundin, Jun 09 '21 at 09:30
What do you mean to NULL a pointer? Assign 0 to a pointer variable? — Paul Hankin, Jun 09 '21 at 09:31

CiaPan · Answer 1 · 2021-06-09T09:56:21.060

I'm not quite sure what you're asking about, but:

if you try to free() the same memory block twice in a row:

    void* ptr = malloc(120);
    free(ptr);
    free(ptr);

then the second call to free() will probably corrupt the heap;

however, if you set your pointer variable to NULL after freeing the pointed block:

    void* ptr = malloc(120);
    free(ptr);
    ptr = NULL;

    // ....do some other stuff
    // (but no assignment to ptr!)

    free(ptr);
    ptr = NULL;

then the second call to free() passes a NULL pointer to it, and free() returns with no harm.

Setting ptr to NULL does not free the allocated memory. This would work e.g. in Java, where the virtual machine tracks all references to objects and deletes those no longer used. In that context the first ptr = null; would make a pointed object eligible for deleting (provided no other references to it exist), and another ptr = null; would not change anything.

In C you must 'manually' release memory you allocated and that is quite separate from nullifying any pointer variables. If you do

int *p;
p = (int*)malloc(10*sizeof(int));
p = NULL;
p = NULL;

then you: declare a p variable; allocate a block of memory and store its address in the p variable; overwrite the stored address with a NULL pointer (thus effectively you loose access to the allocated memory block); and overwrite it once again with the same NULL value.

That does not affect the allocated block. It remains allocated till the end of your program execution, but without the pointer value returned from malloc() you can't use it or even free() it. That's what we call a memory leak.

I edited the question. There is two simultaneous NULL(*ing) – Mark Ezberg Jun 09 '21 at 09:42 — Mark Ezberg, Jun 09 '21 at 09:42

score 2 · Answer 2 · answered Jun 09 '21 at 09:38

A pointer can be "nulled" twice, because its just assigning a value to it. The memory however is still allocated. Setting the pointer to null won't change that. This is why you can do this as often as you like.

With free()-ing the pointer however, you're deallocating the memory. This means is could be used for other variables and such.

Once the memory was deallocated, you can't deallocate it a second time, this is why it causes undefined behaviour.

Have a look at this question for reference.

score 1 · Answer 3 · answered Jun 09 '21 at 09:34

1

NULL is a macro that most of the times stands for 0. So all you do is, assign 0 twice to a variable. So pretty defined behaviour...

answered Jun 09 '21 at 09:34

Double NULL(*ing) in C

3 Answers3