C语言 “双免费”是什么意思?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21057393/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What does "double free" mean?
提问by chris edwards
As the title suggests I am new to C and have a mid-term coming up shortly. I am revising from past papers currently and a recurring theme is double free problem. I understand that it is the process of calling free()on the same memory location twice, but I have a couple of questions that I'm not 100% sure how to answer:
正如标题所暗示的那样,我是 C 语言的新手,并且很快就会有一个中期考试。我目前正在修改过去的论文,一个反复出现的主题是双重免费问题。我知道这是free()两次调用同一个内存位置的过程,但我有几个问题我不是 100% 确定如何回答:
Question 1: What is the result of a double free in C, and why is it such a problem?
问题1:C中double free的结果是什么,为什么会出现这样的问题?
This will cause a double free:
这将导致双重释放:
char* ptr = malloc(sizeof(char));
*ptr = 'a';
free(ptr);
free(ptr);
My response to this would be, would it return a 0x0 memory address and cause a system instability/crash. Also if I remember correctly, a double free can actually call malloctwice which results in a buffer overflow thus leaving the system vulnerable.
我对此的回应是,它是否会返回 0x0 内存地址并导致系统不稳定/崩溃。另外,如果我没记错的话,double free 实际上可以调用malloc两次,这会导致缓冲区溢出,从而使系统容易受到攻击。
What would be the best way to briefly sum up this question?
简要总结这个问题的最佳方法是什么?
Question 2: Describe a situation in which it is particularly easy to introduce a double free in C?
问题2:描述一种在C中特别容易引入double free的情况?
I was thinking when passing pointers around you may accidentally free it in one function, and also free it again without realising?
我在想,当你在你周围传递指针时可能会在一个函数中意外地释放它,并且在没有意识到的情况下再次释放它?
Again, what is the "best" way to sum this up?
同样,总结这一点的“最佳”方式是什么?
回答by templatetypedef
A double free in C, technically speaking, leads to undefined behavior. This means that the program can behave completely arbitrarily and all bets are off about what happens. That's certainly a bad thing to have happen! In practice, double-freeing a block of memory will corrupt the state of the memory manager, which might cause existing blocks of memory to get corrupted or for future allocations to fail in bizarre ways (for example, the same memory getting handed out on two different successive calls of malloc).
从技术上讲,C 中的 double free 会导致undefined behavior。这意味着该程序可以完全任意地运行,并且所有赌注都不会发生。发生这样的事情当然是件坏事!在实践中,双重释放内存块会破坏内存管理器的状态,这可能会导致现有内存块被破坏或未来的分配以奇怪的方式失败(例如,相同的内存被分配给两个) 的不同连续调用malloc。
Double frees can happen in all sorts of cases. A fairly common one is when multiple different objects all have pointers to one another and start getting cleaned up by calls to free. When this happens, if you aren't careful, you might freethe same pointer multiple times when cleaning up the objects. There are lots of other cases as well, though.
在各种情况下都可能发生双重释放。一个相当常见的情况是,多个不同的对象都有彼此的指针,并开始通过调用free. 发生这种情况时,如果您不小心,您可能会free在清理对象时多次使用相同的指针。不过,还有很多其他情况。
Hope this helps!
希望这可以帮助!
回答by zero_yu
Because free() will consolidate adjacent regions by managing the information stored in the tags before each region. It is something like managing the double linked list. So it would be dangerous if the buffer where ptris pointing has been overwritten by an attack string, in which fake tags can be injected.
因为 free() 将通过管理存储在每个区域之前的标签中的信息来合并相邻区域。这有点像管理双链表。因此,如果ptr指向的缓冲区已被攻击字符串覆盖,其中可以注入假标签,那将是危险的。
回答by Weather Vane
This question has been well answered, but I add a late answer due to a "duplicate question" link, which asked "how to avoid it?"
这个问题已经得到很好的回答,但由于“重复问题”链接,我添加了一个迟到的答案,该链接询问“如何避免它?”
One line is added to the example code posted.
在发布的示例代码中添加了一行。
char* ptr = malloc(sizeof(char));
*ptr = 'a';
free(ptr);
ptr = NULL; // add this
free(ptr);
Function freedoes nothing with a NULLpointer.
函数free对NULL指针不做任何事情。
回答by ankurgupta7
As per published C11 standard, calling freeon already freememory location leads to undefined behaviour. It can lead to bizarre situations such as memory not getting allocated even when it's available, heap getting corrupt, same memory location getting allocated to different mallocs etc. Basically, it is undefined and can be anything.
根据已发布的 C11 标准,调用free已经存在的free内存位置会导致未定义的行为。它可能会导致一些奇怪的情况,例如即使内存可用也没有分配,堆损坏,相同的内存位置被分配给不同的 malloc 等。基本上,它是未定义的,可以是任何东西。
ANSI C11 std can be found here. https://www.iso.org/obp/ui/#iso:std:iso-iec:9899:ed-3:v1:en
ANSI C11 标准可以在这里找到。https://www.iso.org/obp/ui/#iso:std:iso-iec:9899:ed-3:v1:en
EDIT: changed NULL to already freed, based on comments. also, link now points to ISO/IEC 9899:2011(en)
编辑:free根据评论将 NULL 更改为已经d。此外,链接现在指向 ISO/IEC 9899:2011(en)
