bdc76f
commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f
bdc76f
Author: Moritz Eckert <m.eckert@cs.ucsb.edu>
bdc76f
Date:   Thu Aug 16 21:08:36 2018 -0400
bdc76f
bdc76f
    malloc: Mitigate null-byte overflow attacks
bdc76f
    
bdc76f
    * malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
bdc76f
    (malloc_consolidate): Likewise.
bdc76f
bdc76f
diff --git a/malloc/malloc.c b/malloc/malloc.c
bdc76f
index 13c52f376859562d..e450597e2e527fb7 100644
bdc76f
--- a/malloc/malloc.c
bdc76f
+++ b/malloc/malloc.c
bdc76f
@@ -4306,6 +4306,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
bdc76f
       prevsize = prev_size (p);
bdc76f
       size += prevsize;
bdc76f
       p = chunk_at_offset(p, -((long) prevsize));
bdc76f
+      if (__glibc_unlikely (chunksize(p) != prevsize))
bdc76f
+        malloc_printerr ("corrupted size vs. prev_size while consolidating");
bdc76f
       unlink(av, p, bck, fwd);
bdc76f
     }
bdc76f
 
bdc76f
@@ -4467,6 +4469,8 @@ static void malloc_consolidate(mstate av)
bdc76f
 	  prevsize = prev_size (p);
bdc76f
 	  size += prevsize;
bdc76f
 	  p = chunk_at_offset(p, -((long) prevsize));
bdc76f
+	  if (__glibc_unlikely (chunksize(p) != prevsize))
bdc76f
+	    malloc_printerr ("corrupted size vs. prev_size in fastbins");
bdc76f
 	  unlink(av, p, bck, fwd);
bdc76f
 	}
bdc76f