edware said:
http://cprogramming.com/tutorial/secure.html
Its under Double Free Attack.
Maybe should have posted to comp.lang.c instead since
its malloc and free, but I didn't think of that
since I was reading the C++ tutorial.
That newsgroup might have more experience with undefined behavior after a
bad free().
In general, the "double free" they describe is simply undefined behavior.
Any undefined behavior could cause anything to happen; anything from the
program appearing to work correctly, to the nearest toilet exploding, to a
program becoming vulnerable to attack.
At the second free(), the heap manager will not notice the block it's
freeing is already free. (That's a serious optimization, because it prevents
the heap manager from walking the entire free list.) The manager will read
and write the variables in the block that indicate its size and status, and
will attempt to join the block with the ones around it.
If a specific program had this bug, an attacker could conceivably submit
program code inside a string (the standard attack route). Then at double
free time the heap manager might jump into this string instead of its own
code.
The C++ fix is a style called RAII. Look that up.