diff options
| author | otto <> | 2017-04-22 09:12:49 +0000 |
|---|---|---|
| committer | otto <> | 2017-04-22 09:12:49 +0000 |
| commit | c55942aa2765a47b52e4dc8d26949e26d41a99bb (patch) | |
| tree | 9a21060563d63e7d6a5ea6292606aec1214fa90c | |
| parent | 35361b16246c3e7aa5300e4fde4d34e0711a05db (diff) | |
| download | openbsd-c55942aa2765a47b52e4dc8d26949e26d41a99bb.tar.gz openbsd-c55942aa2765a47b52e4dc8d26949e26d41a99bb.tar.bz2 openbsd-c55942aa2765a47b52e4dc8d26949e26d41a99bb.zip | |
For small allocations (chunk) freezero only validates the given
size if canaries are enabled. In that case we have the exact requested
size of the allocation. But we can at least check the given size
against the chunk size if C is not enabled. Plus add some braces
so my brain doesn't have to scan for dangling else problems when I
see this code.
| -rw-r--r-- | src/lib/libc/stdlib/malloc.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index 4e5176f71e..dc395c4736 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: malloc.c,v 1.223 2017/04/18 15:46:44 otto Exp $ */ | 1 | /* $OpenBSD: malloc.c,v 1.224 2017/04/22 09:12:49 otto Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> | 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> |
| 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> | 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> |
| @@ -1334,7 +1334,7 @@ ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz) | |||
| 1334 | REALSIZE(sz, r); | 1334 | REALSIZE(sz, r); |
| 1335 | if (check) { | 1335 | if (check) { |
| 1336 | if (sz <= MALLOC_MAXCHUNK) { | 1336 | if (sz <= MALLOC_MAXCHUNK) { |
| 1337 | if (mopts.chunk_canaries) { | 1337 | if (mopts.chunk_canaries && sz > 0) { |
| 1338 | struct chunk_info *info = | 1338 | struct chunk_info *info = |
| 1339 | (struct chunk_info *)r->size; | 1339 | (struct chunk_info *)r->size; |
| 1340 | uint32_t chunknum = | 1340 | uint32_t chunknum = |
| @@ -1342,14 +1342,19 @@ ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz) | |||
| 1342 | 1342 | ||
| 1343 | if (info->bits[info->offset + chunknum] < | 1343 | if (info->bits[info->offset + chunknum] < |
| 1344 | argsz) | 1344 | argsz) |
| 1345 | wrterror(pool, "recorded old size %hu" | 1345 | wrterror(pool, "recorded size %hu" |
| 1346 | " < %zu", | 1346 | " < %zu", |
| 1347 | info->bits[info->offset + chunknum], | 1347 | info->bits[info->offset + chunknum], |
| 1348 | argsz); | 1348 | argsz); |
| 1349 | } else { | ||
| 1350 | if (sz < argsz) | ||
| 1351 | wrterror(pool, "chunk size %zu < %zu", | ||
| 1352 | sz, argsz); | ||
| 1349 | } | 1353 | } |
| 1350 | } else if (sz - mopts.malloc_guard < argsz) | 1354 | } else if (sz - mopts.malloc_guard < argsz) { |
| 1351 | wrterror(pool, "recorded old size %zu < %zu", | 1355 | wrterror(pool, "recorded size %zu < %zu", |
| 1352 | sz - mopts.malloc_guard, argsz); | 1356 | sz - mopts.malloc_guard, argsz); |
| 1357 | } | ||
| 1353 | } | 1358 | } |
| 1354 | if (sz > MALLOC_MAXCHUNK) { | 1359 | if (sz > MALLOC_MAXCHUNK) { |
| 1355 | if (!MALLOC_MOVE_COND(sz)) { | 1360 | if (!MALLOC_MOVE_COND(sz)) { |