C++: Add double-free query documentation.

MathiasVP · MathiasVP · commit fb2ec15dadda · 2023-04-11T15:21:21.000+01:00
diff --git a/cpp/ql/src/Critical/DoubleFree.cpp b/cpp/ql/src/Critical/DoubleFree.cpp
@@ -0,0 +1,10 @@
+int* f() {
+	int *buff = malloc(SIZE*sizeof(int));
+	do_stuff(buff);
+	free(buff);
+	int *new_buffer = malloc(SIZE*sizeof(int));
+	free(buff); // BAD: If new_buffer is assigned the same address as buff,
+              // the memory allocator will free the new buffer memory region,
+              // leading to use-after-free problems and memory corruption.
+	return new_buffer;
+}
diff --git a/cpp/ql/src/Critical/DoubleFree.qhelp b/cpp/ql/src/Critical/DoubleFree.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>
+Dereferencing a pointer after it has been deallocated may result in memory corruption which can
+lead to security vulnerabilities.
+</p>
+
+<include src="dataFlowWarning.inc.qhelp" />
+
+</overview>
+<recommendation>
+<p>
+Ensure that all execution paths deallocate the allocated memory at most once. If possible, reassign
+the pointer to a null value after deallocating it. This will both prevent double-free vulnerabilities, and
+increase the likelihood of the operating system raising a runtime error if the pointer is subsequently
+dereferenced after being deallocated.
+</p>
+
+</recommendation>
+<example><sample src="DoubleFree.cpp" />
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory">Doubly freeing memory</a>.
+</li>
+
+</references>
+</qhelp>
