Further harden glibc malloc metadata against 1-byte overflows.

Additional check for chunk_size == next->prev->chunk_size in unlink() 2017-03-17 Chris Evans <scarybeasts@gmail.com> * malloc/malloc.c (unlink): Add consistency check between size and next->prev->size, to further harden against 1-byte overflows.
author: DJ Delorie <dj@delorie.com> 2017-03-17 15:31:38 -0400
committer: DJ Delorie <dj@delorie.com> 2017-03-17 15:31:38 -0400
commit: 17f487b7afa7cd6c316040f3e6c86dc96b2eec30 (patch)
tree: 5836e9e3b024ffd8c45029f7a2934aad44229b71 /malloc
parent: b170d2e7ab998180abbd24fdd6c03ecb4293d000 (diff)
download: glibc-17f487b7afa7cd6c316040f3e6c86dc96b2eec30.zip
glibc-17f487b7afa7cd6c316040f3e6c86dc96b2eec30.tar.gz
glibc-17f487b7afa7cd6c316040f3e6c86dc96b2eec30.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index e29105c..994a232 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1376,6 +1376,8 @@ typedef struct malloc_chunk *mbinptr;
 
 /* Take a chunk off a bin list */
 #define unlink(AV, P, BK, FD) {                                            \
+    if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0))      \
+      malloc_printerr (check_action, "corrupted size vs. prev_size", P, AV);  \
     FD = P->fd;								      \
     BK = P->bk;								      \
     if (__builtin_expect (FD->bk != P || BK->fd != P, 0))		      \
author	DJ Delorie <dj@delorie.com>	2017-03-17 15:31:38 -0400
committer	DJ Delorie <dj@delorie.com>	2017-03-17 15:31:38 -0400
commit	17f487b7afa7cd6c316040f3e6c86dc96b2eec30 (patch)
tree	5836e9e3b024ffd8c45029f7a2934aad44229b71 /malloc
parent	b170d2e7ab998180abbd24fdd6c03ecb4293d000 (diff)
download	glibc-17f487b7afa7cd6c316040f3e6c86dc96b2eec30.zip glibc-17f487b7afa7cd6c316040f3e6c86dc96b2eec30.tar.gz glibc-17f487b7afa7cd6c316040f3e6c86dc96b2eec30.tar.bz2