bin/141753: double-free in reallocf()
Dan Lukes
dan at obluda.cz
Fri Dec 18 16:50:04 UTC 2009
>Number: 141753
>Category: bin
>Synopsis: double-free in reallocf()
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 18 16:50:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 7.2-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 7.2-STABLE i386
lib/libc/stdlib/reallocf.c,v 1.4 2002/03/22 21:53:10
******** SYS V malloc() compatifility (malloc option 'V' in effect)
>Description:
Imagine the code:
-----------------
_malloc_options = "V";
...
ptr=malloc(5);
...
nptr=reallocf(ptr,0);
-----------------
Now look into libc's reallocf() implementation:
void *
reallocf(void *ptr, size_t size)
{
void *nptr;
nptr = realloc(ptr, size);
if (!nptr && ptr)
free(ptr);
return (nptr);
}
The realloc() is called with non-NULL ptr.
Zero-size realloc never fail, so ptr is freed by realloc. nptr is NULL
because of size=0 and option V
Unfortunatelly, it mean the free(ptr) is called again
causing double-free of ptr.
It never fail (allocation of
>How-To-Repeat:
See code in description.
>Fix:
The free must not be called when size=0 and opt_sysv == true
because the pointer is already freed.
Unfortunatelly the opt_sysv variable is not avaiable here, it is
static variable within malloc.c
It sounds to me that better solution is to move reallocf()
implementation from reallocf.c to malloc.c
(opt_sysv is avaiable here) but there may be other solution.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list