From d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f Mon Sep 17 00:00:00 2001
From: Moritz Eckert <m.eckert@cs.ucsb.edu>
Date: Thu, 16 Aug 2018 21:08:36 -0400
Subject: malloc: Mitigate null-byte overflow attacks

* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.
---
 malloc/malloc.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'malloc')

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 9431108..7c8bf84 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
       prevsize = prev_size (p);
       size += prevsize;
       p = chunk_at_offset(p, -((long) prevsize));
+      if (__glibc_unlikely (chunksize(p) != prevsize))
+        malloc_printerr ("corrupted size vs. prev_size while consolidating");
       unlink(av, p, bck, fwd);
     }
 
@@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
 	  prevsize = prev_size (p);
 	  size += prevsize;
 	  p = chunk_at_offset(p, -((long) prevsize));
+	  if (__glibc_unlikely (chunksize(p) != prevsize))
+	    malloc_printerr ("corrupted size vs. prev_size in fastbins");
 	  unlink(av, p, bck, fwd);
 	}
 
-- 
cgit v1.1