On Fri, Jul 07, 2017 at 01:50:51PM -0400, Ted Unangst wrote:
> Otto Moerbeek wrote:
> > I think I found it: requested size is not recorded for malloc(0),
> > bp->offset is not initialized in that case. Other code is carefull not to
> > use ->offset for size == 0.
> > OA
> > -Otto
>
> OA from me. :)
I lied.... I checked more uses of ->offset and as it turns out,
there's one more access of offset for size == 0. Fix that and assign a
definite value to offset in the size == 0 case, so errors are catched
in more cases.
-Otto
Index: malloc.c
===================================================================
RCS file: /cvs/src/lib/libc/stdlib/malloc.c,v
retrieving revision 1.227
diff -u -p -r1.227 malloc.c
--- malloc.c 7 Jul 2017 19:14:46 -0000 1.227
+++ malloc.c 8 Jul 2017 12:08:42 -0000
@@ -886,6 +886,7 @@ omalloc_make_chunks(struct dir_info *d,
while (i >>= 1)
bp->shift++;
bp->total = bp->free = MALLOC_PAGESIZE >> bp->shift;
+ bp->offset = 0xdead;
bp->page = pp;
k = mprotect(pp, MALLOC_PAGESIZE, PROT_NONE);
@@ -1793,7 +1794,7 @@ orecallocarray(struct dir_info *argpool,
REALSIZE(sz, r);
if (sz <= MALLOC_MAXCHUNK) {
- if (mopts.chunk_canaries) {
+ if (mopts.chunk_canaries && sz > 0) {
struct chunk_info *info = (struct chunk_info *)r->size;
uint32_t chunknum = find_chunknum(pool, r, p, 0);
