bin/141753: double-free in reallocf()

Dan Lukes dan at
Fri Dec 18 16:50:04 UTC 2009

>Number:         141753
>Category:       bin
>Synopsis:       double-free in reallocf()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 18 16:50:03 UTC 2009
>Originator:     Dan Lukes
>Release:        FreeBSD 7.2-STABLE i386
System: FreeBSD 7.2-STABLE i386
lib/libc/stdlib/reallocf.c,v 1.4 2002/03/22 21:53:10

******** SYS V malloc() compatifility (malloc option 'V' in effect)


Imagine the code:

_malloc_options = "V";

Now look into libc's reallocf() implementation: 

void *
reallocf(void *ptr, size_t size)
	void *nptr;

	nptr = realloc(ptr, size);
	if (!nptr && ptr)
	return (nptr);

The realloc() is called with non-NULL ptr. 
Zero-size realloc never fail, so ptr is freed by realloc. nptr is NULL
because of size=0 and option V

Unfortunatelly, it mean the free(ptr) is called again
causing double-free of ptr.

It never fail (allocation of 

See code in description.


The free must not be called when size=0 and opt_sysv == true
because the pointer is already freed.

Unfortunatelly the opt_sysv variable is not avaiable here, it is
static variable within malloc.c

It sounds to me that better solution is to move reallocf()
implementation from reallocf.c to malloc.c 
(opt_sysv is avaiable here) but there may be other solution.

More information about the freebsd-bugs mailing list