Fortify version 24.4 unable to detect memory issues in C/C++

Question

I am using Fortify version 24.4 to analyze C/C++ code for security vulnerabilities and memory-related issues. However, I have observed that the tool is not effectively detecting certain critical memory issues, such as NULL Dereference, Use After Free, and Memory Leaks. .

Could you please provide some pointers or recommendations on the following:

Are there specific configurations or settings in Fortify that need to be adjusted to improve its ability to detect these memory issues?

#include <stdio.h>
#include <stdlib.h>

struct Node {
    int data;
    struct Node* next;
};

void memory_leak_example() {
    // Memory leak - allocated but never freed
    int* numbers = (int*)malloc(sizeof(int) * 10);
    for(int i = 0; i < 10; i++) {
        numbers[i] = i;
    }
    // Function returns without freeing numbers
}

void null_pointer_example(int* ptr) {
    // Potential null pointer dereference
    *ptr = 42;  // No null check before dereferencing
}

void double_free_example() {
    char* str = (char*)malloc(50);
    if(str != NULL) {
        free(str);
        // Double free
        free(str);
    }
}

void use_after_free_example() {
    int* ptr = (int*)malloc(sizeof(int));
    *ptr = 10;
    free(ptr);
    // Use after free
    *ptr = 20;
}

int main() {
    // Example 1: Memory leak
    memory_leak_example();
    
    // Example 2: Null pointer dereference
    int* null_ptr = NULL;
    null_pointer_example(null_ptr);
    
    // Example 3: Double free
    double_free_example();
    
    // Example 4: Use after free
    use_after_free_example();
    
    return 0;
}

Rahul Dhalla · Accepted Answer

Got it , this was happening due to recent changes in fortify scan policy . By default it is using "security" but in fortify version 22 it was using "classic"

Menu

Fortify Discussions

${resource:CF_GenericContent}test

Fortify version 24.4 unable to detect memory issues in C/C++

Tags:

Top Replies

Verified Answer

Resources