diff options
author | Rich Felker <dalias@aerifal.cx> | 2013-07-19 20:00:11 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2013-07-19 20:00:11 -0400 |
commit | 8389520ed5ad6f0033d6426e21ef653fa5ca26a4 (patch) | |
tree | d953686de75caed19c0bc83ab43b258052f2016f /src | |
parent | 41e2fd9d529b00b8532e7170e3cdae0d5d6c6424 (diff) | |
download | musl-8389520ed5ad6f0033d6426e21ef653fa5ca26a4.tar.gz musl-8389520ed5ad6f0033d6426e21ef653fa5ca26a4.tar.xz musl-8389520ed5ad6f0033d6426e21ef653fa5ca26a4.zip |
harden realloc/free to detect simple overflows
the sizes in the header and footer for a chunk should always match. if they don't, the program has definitely invoked undefined behavior, and the most likely cause is a simple overflow, either of a buffer in the block being freed or the one just below it. crashing here should not only improve security of buggy programs, but also aid in debugging, since the crash happens in a context where you have a pointer to the likely-overflowed buffer.
Diffstat (limited to 'src')
-rw-r--r-- | src/malloc/malloc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/malloc/malloc.c b/src/malloc/malloc.c index 1a6d1493..4044eb2a 100644 --- a/src/malloc/malloc.c +++ b/src/malloc/malloc.c @@ -418,6 +418,9 @@ void *realloc(void *p, size_t n) next = NEXT_CHUNK(self); + /* Crash on corrupted footer (likely from buffer overflow) */ + if (next->psize != self->csize) a_crash(); + /* Merge adjacent chunks if we need more space. This is not * a waste of time even if we fail to get enough space, because our * subsequent call to free would otherwise have to do the merge. */ @@ -471,6 +474,9 @@ void free(void *p) final_size = new_size = CHUNK_SIZE(self); next = NEXT_CHUNK(self); + /* Crash on corrupted footer (likely from buffer overflow) */ + if (next->psize != self->csize) a_crash(); + for (;;) { /* Replace middle of large chunks with fresh zero pages */ if (reclaim && (self->psize & next->csize & C_INUSE)) { |