Using delete or free releases the reservation on a memory location, making it immediately available for another purpose.
Releasing the exact memory location twice leads to undefined behavior and can often crash the program.
The C standard defines as undefined behavior a call to free with a pointer to a memory area that has already been
released.
The C++ standard defines the first delete call as the end of the lifetime for dynamically allocated memory. Access to memory past its
lifetime end, including another delete, is undefined behavior.
What is the potential impact
The danger of a "double-free" comes directly from the fact that it is undefined behavior (in both C and C++). Note that there is no guarantee that
a crash will happen on a "double-free" when the resource is released or at all until the end of the program’s execution.
The effects of a "double-free" depend entirely on the program’s memory management implementation. In the case of such an event, one of the
following can be observed:
- The program’s memory-management data structures can become corrupted. This will usually cause a crash.
- Demonstrative Example 2 on CWE-415 presents a set of circumstances where a crash does
not occur. In these circumstances, the corruption of the mentioned data structures causes two later calls to
malloc to return the same
pointer. This can lead to a sensitive-data-exposure vulnerability or a buffer-overflow vulnerability.
