Hi, A double free of a chunk corrupts the canary, but I prefer to see a double free error reported,
-Otto Index: malloc.c =================================================================== RCS file: /cvs/src/lib/libc/stdlib/malloc.c,v retrieving revision 1.228 diff -u -p -r1.228 malloc.c --- malloc.c 10 Jul 2017 09:44:16 -0000 1.228 +++ malloc.c 11 Sep 2017 11:07:05 -0000 @@ -1069,16 +1069,16 @@ find_chunknum(struct dir_info *d, struct /* Find the chunk number on the page */ chunknum = ((uintptr_t)ptr & MALLOC_PAGEMASK) >> info->shift; - if (check && info->size > 0) { - validate_canary(d, ptr, info->bits[info->offset + chunknum], - info->size); - } if ((uintptr_t)ptr & ((1U << (info->shift)) - 1)) wrterror(d, "modified chunk-pointer %p", ptr); if (info->bits[chunknum / MALLOC_BITS] & (1U << (chunknum % MALLOC_BITS))) wrterror(d, "chunk is already free %p", ptr); + if (check && info->size > 0) { + validate_canary(d, ptr, info->bits[info->offset + chunknum], + info->size); + } return chunknum; }