use after free in grep?
Dimitry Andric
dim at FreeBSD.org
Thu Dec 20 12:19:14 UTC 2012
On 2012-12-20 08:13, Eitan Adler wrote:
> in xrealloc_impl
>
> 338 new_ptr = realloc(ptr, new_size);
> 339 if (new_ptr != NULL)
> 340 {
> 341 hash_table_del(xmalloc_table, ptr);
>
> ^^^ isn't this a use-after-free of ptr?
Yes, realloc does not guarantee the realloc'd space will be at the same
address, so it may free ptr at its discretion. Also, there is a memory
leak if realloc() returns NULL. This is a very usual mistake when using
realloc(). :-)
Probably, the code should do the hash_table_del() before the realloc(),
but I am not sure if hash_table_del() will already free ptr.
More information about the freebsd-hackers
mailing list