Hi,
A double free of a chunk corrupts the canary, but I prefer to see a
double free error reported,
-Otto
Index: malloc.c
===================================================================
RCS file: /cvs/src/lib/libc/stdlib/malloc.c,v
retrieving revision 1.228
diff -u -p -r1.228 malloc.c
--- malloc.c 10 Jul 2017 09:44:16 -0000 1.228
+++ malloc.c 11 Sep 2017 11:07:05 -0000
@@ -1069,16 +1069,16 @@ find_chunknum(struct dir_info *d, struct
/* Find the chunk number on the page */
chunknum = ((uintptr_t)ptr & MALLOC_PAGEMASK) >> info->shift;
- if (check && info->size > 0) {
- validate_canary(d, ptr, info->bits[info->offset + chunknum],
- info->size);
- }
if ((uintptr_t)ptr & ((1U << (info->shift)) - 1))
wrterror(d, "modified chunk-pointer %p", ptr);
if (info->bits[chunknum / MALLOC_BITS] &
(1U << (chunknum % MALLOC_BITS)))
wrterror(d, "chunk is already free %p", ptr);
+ if (check && info->size > 0) {
+ validate_canary(d, ptr, info->bits[info->offset + chunknum],
+ info->size);
+ }
return chunknum;
}
