Incorrect Use of Free Detection

Detection Workflow

1. Identify free operations: Find all free() calls, locate delete/delete[] calls, map deallocation points, note pointers being freed
2. Trace pointer origins: Find where pointers originate, identify allocation method, track pointer assignments, assess pointer validity
3. Analyze memory type: Verify pointer points to heap memory, check for stack variables, identify static/global variables, assess pointer validity
4. Assess impact: Can incorrect free cause crash? Can it cause heap corruption? What's the security impact? Is it exploitable?

Key Patterns

• Freeing non-heap memory: free() on stack variables, free() on static/global variables, free() on string literals, free() on automatic storage
• Freeing invalid pointers: free() on NULL pointer, free() on already-freed memory, free() on uninitialized pointers, free() on middle of allocations
• Mismatched allocators: free() on new-allocated memory, delete on malloc-allocated memory, cross-allocator deallocation, mixed C/C++ memory management
• Double free patterns: multiple free() on same pointer, free() in multiple code paths, free() in error handling, free() in cleanup functions

Output Format

Report with: id, type, subtype, severity, confidence, location, vulnerability, freed_pointer, pointer_type, allocation_type, free_operation, exploitable, attack_scenario, impact, mitigation.

Severity Guidelines

• HIGH: Incorrect free causing heap corruption
• MEDIUM: Incorrect free causing crashes
• LOW: Incorrect free with limited impact

See Also

• patterns.md - Detailed detection patterns and exploitation scenarios
• examples.md - Example analysis cases and code samples
• references.md - CWE references and mitigation strategies