From e825de79df20ff7ad493d85dd9adfbfac4020cd0 Mon Sep 17 00:00:00 2001 From: otto Date: Sat, 22 Apr 2017 09:12:49 +0000 Subject: [PATCH] For small allocations (chunk) freezero only validates the given size if canaries are enabled. In that case we have the exact requested size of the allocation. But we can at least check the given size against the chunk size if C is not enabled. Plus add some braces so my brain doesn't have to scan for dangling else problems when I see this code. --- lib/libc/stdlib/malloc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c index 4e5176f71ee..dc395c4736c 100644 --- a/lib/libc/stdlib/malloc.c +++ b/lib/libc/stdlib/malloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: malloc.c,v 1.223 2017/04/18 15:46:44 otto Exp $ */ +/* $OpenBSD: malloc.c,v 1.224 2017/04/22 09:12:49 otto Exp $ */ /* * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek * Copyright (c) 2012 Matthew Dempsky @@ -1334,7 +1334,7 @@ ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz) REALSIZE(sz, r); if (check) { if (sz <= MALLOC_MAXCHUNK) { - if (mopts.chunk_canaries) { + if (mopts.chunk_canaries && sz > 0) { struct chunk_info *info = (struct chunk_info *)r->size; uint32_t chunknum = @@ -1342,14 +1342,19 @@ ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz) if (info->bits[info->offset + chunknum] < argsz) - wrterror(pool, "recorded old size %hu" + wrterror(pool, "recorded size %hu" " < %zu", info->bits[info->offset + chunknum], argsz); + } else { + if (sz < argsz) + wrterror(pool, "chunk size %zu < %zu", + sz, argsz); } - } else if (sz - mopts.malloc_guard < argsz) - wrterror(pool, "recorded old size %zu < %zu", + } else if (sz - mopts.malloc_guard < argsz) { + wrterror(pool, "recorded size %zu < %zu", sz - mopts.malloc_guard, argsz); + } } if (sz > MALLOC_MAXCHUNK) { if (!MALLOC_MOVE_COND(sz)) { -- 2.20.1