There is no reason to-be-cleared chunks cannot participate in delayed

freeing; ok tb@
author: otto <> 2023-02-27 06:47:54 +0000
committer: otto <> 2023-02-27 06:47:54 +0000
commit: 31981a76b5fce310c7e0a65e2bb3c7e933121cfd (patch)
tree: 1991b460a46413f18aaa2bd78b77f94775be8eef
parent: 805a22b16d53fd845fd8f4f6f6f1496c4c62bb7e (diff)
download: openbsd-31981a76b5fce310c7e0a65e2bb3c7e933121cfd.tar.gz
openbsd-31981a76b5fce310c7e0a65e2bb3c7e933121cfd.tar.bz2
openbsd-31981a76b5fce310c7e0a65e2bb3c7e933121cfd.zip
1 files changed, 23 insertions, 27 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c
index 99249b24cb..6167145669 100644
--- a/src/lib/libc/stdlib/malloc.c
+++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc.c,v 1.276 2022/12/27 17:31:09 otto Exp $       */
+/*      $OpenBSD: malloc.c,v 1.277 2023/02/27 06:47:54 otto Exp $       */
 /*
 * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
 * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -1515,42 +1515,38 @@ ofree(struct dir_info **argpool, void *p, int clear, int check, size_t argsz)
                unmap(pool, p, PAGEROUND(sz), clear ? argsz : 0);
                delete(pool, r);
        } else {
+                void *tmp;
+                u_int i;
                /* Validate and optionally canary check */
                struct chunk_info *info = (struct chunk_info *)r->size;
                if (info->size != sz)
                        wrterror(pool, "internal struct corrupt");
                find_chunknum(pool, info, p, mopts.chunk_canaries);
-                if (!clear) {
-                        void *tmp;
+                if (mopts.malloc_freecheck) {
-                        int i;
+                        for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++)
+                                if (p == pool->delayed_chunks[i])
-                        if (mopts.malloc_freecheck) {
+                                        wrterror(pool,
-                                for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++)
+                                            "double free %p", p);
-                                        if (p == pool->delayed_chunks[i])
-                                                wrterror(pool,
-                                                    "double free %p", p);
-                        }
-                        junk_free(pool->malloc_junk, p, sz);
-                        i = getrbyte(pool) & MALLOC_DELAYED_CHUNK_MASK;
-                        tmp = p;
-                        p = pool->delayed_chunks[i];
-                        if (tmp == p)
-                                wrterror(pool, "double free %p", tmp);
-                        pool->delayed_chunks[i] = tmp;
-                        if (p != NULL) {
-                                r = find(pool, p);
-                                REALSIZE(sz, r);
-                                if (r != NULL)
-                                        validate_junk(pool, p, sz);
-                        }
-                } else if (argsz > 0) {
-                        r = find(pool, p);
-                        explicit_bzero(p, argsz);
                }
+                if (clear && argsz > 0)
+                        explicit_bzero(p, argsz);
+                junk_free(pool->malloc_junk, p, sz);
+                i = getrbyte(pool) & MALLOC_DELAYED_CHUNK_MASK;
+                tmp = p;
+                p = pool->delayed_chunks[i];
+                if (tmp == p)
+                        wrterror(pool, "double free %p", p);
+                pool->delayed_chunks[i] = tmp;
                if (p != NULL) {
+                        r = find(pool, p);
                        if (r == NULL)
                                wrterror(pool,
                                    "bogus pointer (double free?) %p", p);
+                        REALSIZE(sz, r);
+                        validate_junk(pool, p, sz);
                        free_bytes(pool, r, p);
                }
        }
author	otto <>	2023-02-27 06:47:54 +0000
committer	otto <>	2023-02-27 06:47:54 +0000
commit	31981a76b5fce310c7e0a65e2bb3c7e933121cfd (patch)
tree	1991b460a46413f18aaa2bd78b77f94775be8eef
parent	805a22b16d53fd845fd8f4f6f6f1496c4c62bb7e (diff)
download	openbsd-31981a76b5fce310c7e0a65e2bb3c7e933121cfd.tar.gz openbsd-31981a76b5fce310c7e0a65e2bb3c7e933121cfd.tar.bz2 openbsd-31981a76b5fce310c7e0a65e2bb3c7e933121cfd.zip

diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index 99249b24cb..6167145669 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: malloc.c,v 1.276 2022/12/27 17:31:09 otto Exp $ */	1	/* $OpenBSD: malloc.c,v 1.277 2023/02/27 06:47:54 otto Exp $ */
2	/*	2	/*
3	* Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>	3	* Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
4	* Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>	4	* Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -1515,42 +1515,38 @@ ofree(struct dir_info *argpool, void p, int clear, int check, size_t argsz)
1515	unmap(pool, p, PAGEROUND(sz), clear ? argsz : 0);	1515	unmap(pool, p, PAGEROUND(sz), clear ? argsz : 0);
1516	delete(pool, r);	1516	delete(pool, r);
1517	} else {	1517	} else {
		1518	void *tmp;
		1519	u_int i;
		1520
1518	/* Validate and optionally canary check */	1521	/* Validate and optionally canary check */
1519	struct chunk_info info = (struct chunk_info )r->size;	1522	struct chunk_info info = (struct chunk_info )r->size;
1520	if (info->size != sz)	1523	if (info->size != sz)
1521	wrterror(pool, "internal struct corrupt");	1524	wrterror(pool, "internal struct corrupt");
1522	find_chunknum(pool, info, p, mopts.chunk_canaries);	1525	find_chunknum(pool, info, p, mopts.chunk_canaries);
1523	if (!clear) {	1526
1524	void *tmp;	1527	if (mopts.malloc_freecheck) {
1525	int i;	1528	for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++)
1526		1529	if (p == pool->delayed_chunks[i])
1527	if (mopts.malloc_freecheck) {	1530	wrterror(pool,
1528	for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++)	1531	"double free %p", p);
1529	if (p == pool->delayed_chunks[i])
1530	wrterror(pool,
1531	"double free %p", p);
1532	}
1533	junk_free(pool->malloc_junk, p, sz);
1534	i = getrbyte(pool) & MALLOC_DELAYED_CHUNK_MASK;
1535	tmp = p;
1536	p = pool->delayed_chunks[i];
1537	if (tmp == p)
1538	wrterror(pool, "double free %p", tmp);
1539	pool->delayed_chunks[i] = tmp;
1540	if (p != NULL) {
1541	r = find(pool, p);
1542	REALSIZE(sz, r);
1543	if (r != NULL)
1544	validate_junk(pool, p, sz);
1545	}
1546	} else if (argsz > 0) {
1547	r = find(pool, p);
1548	explicit_bzero(p, argsz);
1549	}	1532	}
		1533	if (clear && argsz > 0)
		1534	explicit_bzero(p, argsz);
		1535	junk_free(pool->malloc_junk, p, sz);
		1536
		1537	i = getrbyte(pool) & MALLOC_DELAYED_CHUNK_MASK;
		1538	tmp = p;
		1539	p = pool->delayed_chunks[i];
		1540	if (tmp == p)
		1541	wrterror(pool, "double free %p", p);
		1542	pool->delayed_chunks[i] = tmp;
1550	if (p != NULL) {	1543	if (p != NULL) {
		1544	r = find(pool, p);
1551	if (r == NULL)	1545	if (r == NULL)
1552	wrterror(pool,	1546	wrterror(pool,
1553	"bogus pointer (double free?) %p", p);	1547	"bogus pointer (double free?) %p", p);
		1548	REALSIZE(sz, r);
		1549	validate_junk(pool, p, sz);
1554	free_bytes(pool, r, p);	1550	free_bytes(pool, r, p);
1555	}	1551	}
1556	}	1552	}