aboutsummaryrefslogtreecommitdiff
path: root/malloc/malloc.c
diff options
context:
space:
mode:
authorMoritz Eckert <m.eckert@cs.ucsb.edu>2018-08-16 21:08:36 -0400
committerDJ Delorie <dj@delorie.com>2018-08-16 21:26:16 -0400
commitd6db68e66dff25d12c3bc5641b60cbd7fb6ab44f (patch)
tree6a2cf58b68200323ca2e848bb3938cc598bf5a25 /malloc/malloc.c
parent30a17d8c95fbfb15c52d1115803b63aaa73a285c (diff)
downloadglibc-d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f.zip
glibc-d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f.tar.gz
glibc-d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f.tar.bz2
malloc: Mitigate null-byte overflow attacks
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size. (malloc_consolidate): Likewise.
Diffstat (limited to 'malloc/malloc.c')
-rw-r--r--malloc/malloc.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 9431108..7c8bf84 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
+ malloc_printerr ("corrupted size vs. prev_size while consolidating");
unlink(av, p, bck, fwd);
}
@@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
+ malloc_printerr ("corrupted size vs. prev_size in fastbins");
unlink(av, p, bck, fwd);
}