Is it secure to use malloc?

前端 未结 12 750
爱一瞬间的悲伤
爱一瞬间的悲伤 2021-01-05 04:18

Somebody told me that allocating with malloc is not secure anymore, I\'m not a C/C++ guru but I\'ve made some stuff with malloc and C/C++. Does anyone know about what risks

相关标签:
12条回答
  • 2021-01-05 04:53

    In C++, there is no such problem if you stick to good conventions. In C, well, practice. Malloc itself is not an inherently insecure function at all - people simply can deal with it's results inadequately.

    0 讨论(0)
  • 2021-01-05 04:55

    It is not secure to use malloc because it's not possible to write a large scale application and ensure every malloc is freed in an efficient manner. Thus, you will have tons of memory leaks which may or may not be a problem... but, when you double free, or use the wrong delete etc, undefined behaviour can result. Indeed, using the wrong delete in C++ will typically allow arbitrary code execution.

    The ONLY way for code written in a language like C or C++ to be secure is to mathematically prove the entire program with its dependencies factored in.

    Modern memory-safe languages are safe from these types of bugs as long as the underlying language implementation isn't vulnerable (which is indeed rare because these are all written in C/C++, but as we move towards hardware JVMs, this problem will go away).

    0 讨论(0)
  • 2021-01-05 04:56

    It's probably true that C++'s new is safer than malloc(), but that doesn't automatically make malloc() more unsafe than it was before. Did your friend say why he considers it insecure?


    However, here's a few things you should pay attention to:

    1) With C++, you do need to be careful when you use malloc()/free() and new/delete side-by-side in the same program. This is possible and permissible, but everything that was allocated with malloc() must be freed with free(), and not with delete. Similarly, everything that was allocated with new must be freed with delete, and never with free(). (This logic goes even further: If you allocate an array with new[], you must free it with delete[], and not just with delete.) Always use corresponding counterparts for allocation and deallocation, per object.

    int* ni = new int;
    free(ni);   // ERROR: don't do this!
    delete ni;  // OK
    
    int* mi = (int*)malloc(sizeof(int));
    delete mi;  // ERROR!
    free(mi);   // OK  
    

    2) malloc() and new (speaking again of C++) don't do exactly the same thing. malloc() just gives you a chunk of memory to use; new will additionally call a contructor (if available). Similarly, delete will call a destructor (if available), while free() won't. This could lead to problems, such as incorrectly initialized objects (because the constructor wasn' called) or un-freed resources (because the destructor wasn't called).

    3) C++'s new also takes care of allocating the right amount of memory for the type specified, while you need to calculate this yourself with malloc():

    int *ni = new int;
    int *mi = (int*)malloc(sizeof(int));  // required amount of memory must be
                                          // explicitly specified!
                                          // (in some situations, you can make this 
                                          // a little safer against code changes by
                                          // writing  sizeof(*mi)  instead.)
    

    Conclusion:

    In C++, new/delete should be preferred over malloc()/free() where possible. (In C, new/delete is not available, so the choice would be obvious there.)

    0 讨论(0)
  • 2021-01-05 05:03

    It's the only way to allocate and deallocate memory in C natively. If you misuse it, it can be as insecure as anything else. Microsoft provides some "secure" versions of other functions, that take an extra size_t parametre - maybe your friend was referring to something similar? If that's the case, perhaps he simply prefers calloc() over malloc()?

    0 讨论(0)
  • 2021-01-05 05:04

    There is nothing wrong with malloc as such. Your friend apparently means that manual memory management is insecure and easily leads to bugs. Compared to other languages where the memory is managed automatically by a garbage collector (not that it is not possible to have leaks - nowadays nobody cares if the program cleans up when it terminates, what matters is that something is not hogging memory while the program is running).

    Of course in C++ you wouldn't really touch malloc at all (because it simply isn't functionally equivalent to new and just doesn't do what you need, assuming most of the time you don't want just to get raw memory). And in addition, it is completely possible to program using techniques which almost entirely eliminate the possibility of memory leaks and corruption (RAII), but that takes expertise.

    0 讨论(0)
  • 2021-01-05 05:06

    Your friend could be talking about:

    • The safety of using pointers in general. For example in C++ if you're allocating an array of char with malloc, question why you aren't using a string or vector. Pointers aren't insecure, but code that's buggy due to incorrect use of pointers is.

    • Something about malloc in particular. Most OSes clear memory before first handing it to a process, for security reasons. Otherwise, sensitive data from one app, could be leaked to another app. On OSes that don't do that, you could argue that there's an insecurity related to malloc. It's really more related to free.

    It's also possible your friend doesn't know what he's talking about. When someone says "X is insecure", my response is, "in what way?".

    0 讨论(0)
提交回复
热议问题