C++ vulnerability issue with pointers

Question

In a test document I found I got asked what the problem in following code is:

#include <iostream>
#include <stdlib.h>
#include <string.h>
using namespace std;

int main()
{
    char* a = (char*) malloc (20);
    char* b = (char*) malloc (20);
    strcpy(b, "Secure Coding");
    strcpy(a, "Insecure Coding");
    a = b;
    cout << a << endl;
    cout << b << endl << endl;
    free(a);
    free(b);
    return 0;
}

What is it?

Well, what do you think? Have you analyzed the code and what it does? — Lasse V. Karlsen, May 23 '16 at 17:05
Also, it would help if you posted *compiling* code because right now, the problem with the code is that it doesn't compile. That, however, is nothing to do with security or "secure code". — Lasse V. Karlsen, May 23 '16 at 17:06
Also, why have you tagged this question C#? That's not C# code, that's C or C++ code. — Lasse V. Karlsen, May 23 '16 at 17:06
It's not even C code since `` and `cout` is used. To the OP: **C is not C++**. — PaulMcKenzie, May 23 '16 at 17:26
Note that this isn't a security issue as much as it is a resource issue; this code has a memory leak. — John Bode, May 23 '16 at 17:26
@JohnBode: ITs also a security issue as there is undefined behavior. Caused be the result of the resource leak and some calls. — Martin York, May 23 '16 at 18:58

score 9 · Accepted Answer · edited May 23 '17 at 12:00

a=b;

After this assignment a points to the same location as b ("Secure Coding"). You have lost any reference to the initial location pointed by a, so essentially "Insecure Coding" is garbage that cannot be freed.

Another issue is that you are freeing the same pointer twice. After the first free you no longer own that memory.

See: What happens when you try to free() already freed memory in c?

C++ vulnerability issue with pointers

1 Answers1