| commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f |
| Author: Moritz Eckert <m.eckert@cs.ucsb.edu> |
| Date: Thu Aug 16 21:08:36 2018 -0400 |
| |
| malloc: Mitigate null-byte overflow attacks |
| |
| * malloc/malloc.c (_int_free): Check for corrupt prev_size vs size. |
| (malloc_consolidate): Likewise. |
| |
| diff --git a/malloc/malloc.c b/malloc/malloc.c |
| index 13c52f376859562d..e450597e2e527fb7 100644 |
| |
| |
| @@ -4306,6 +4306,8 @@ _int_free (mstate av, mchunkptr p, int have_lock) |
| prevsize = prev_size (p); |
| size += prevsize; |
| p = chunk_at_offset(p, -((long) prevsize)); |
| + if (__glibc_unlikely (chunksize(p) != prevsize)) |
| + malloc_printerr ("corrupted size vs. prev_size while consolidating"); |
| unlink(av, p, bck, fwd); |
| } |
| |
| @@ -4467,6 +4469,8 @@ static void malloc_consolidate(mstate av) |
| prevsize = prev_size (p); |
| size += prevsize; |
| p = chunk_at_offset(p, -((long) prevsize)); |
| + if (__glibc_unlikely (chunksize(p) != prevsize)) |
| + malloc_printerr ("corrupted size vs. prev_size in fastbins"); |
| unlink(av, p, bck, fwd); |
| } |
| |