diff options
author | Moritz Eckert <m.eckert@cs.ucsb.edu> | 2018-08-16 21:08:36 -0400 |
---|---|---|
committer | DJ Delorie <dj@delorie.com> | 2018-08-16 21:26:16 -0400 |
commit | d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f (patch) | |
tree | 6a2cf58b68200323ca2e848bb3938cc598bf5a25 /malloc | |
parent | 30a17d8c95fbfb15c52d1115803b63aaa73a285c (diff) | |
download | glibc-d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f.tar.gz glibc-d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f.tar.xz glibc-d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f.zip |
malloc: Mitigate null-byte overflow attacks
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size. (malloc_consolidate): Likewise.
Diffstat (limited to 'malloc')
-rw-r--r-- | malloc/malloc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 9431108626..7c8bf8413c 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock) prevsize = prev_size (p); size += prevsize; p = chunk_at_offset(p, -((long) prevsize)); + if (__glibc_unlikely (chunksize(p) != prevsize)) + malloc_printerr ("corrupted size vs. prev_size while consolidating"); unlink(av, p, bck, fwd); } @@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av) prevsize = prev_size (p); size += prevsize; p = chunk_at_offset(p, -((long) prevsize)); + if (__glibc_unlikely (chunksize(p) != prevsize)) + malloc_printerr ("corrupted size vs. prev_size in fastbins"); unlink(av, p, bck, fwd); } |