From owner-freebsd-bugs  Wed Mar 12 10:00:04 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id KAA29168
          for bugs-outgoing; Wed, 12 Mar 1997 10:00:04 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id KAA29152;
          Wed, 12 Mar 1997 10:00:02 -0800 (PST)
Resent-Date: Wed, 12 Mar 1997 10:00:02 -0800 (PST)
Resent-Message-Id: <199703121800.KAA29152@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, jmaslak@blackfire.com
Received: from blackfire.com (hill153.uwyo.edu [129.72.150.153])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA29042
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Mar 1997 09:58:08 -0800 (PST)
Received: (from jmaslak@localhost) by blackfire.com (8.8.5/8.7.3) id KAA21827; Wed, 12 Mar 1997 10:58:29 -0700 (MST)
Message-Id: <199703121758.KAA21827@blackfire.com>
Date: Wed, 12 Mar 1997 10:58:29 -0700 (MST)
From: Joel Maslak <jmaslak@blackfire.com>
Reply-To: jmaslak@blackfire.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/2964: malloc() returns non-null when it should not
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         2964
>Category:       kern
>Synopsis:       malloc() returns non-null when it should not
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 12 10:00:01 PST 1997
>Last-Modified:
>Originator:     Joel Maslak
>Organization:
None
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

	3.0-CURRENT from December 1996, Pentium, 32 MB RAM, 96 MB swap
	Ulimit set to 64 MB data size.

>Description:

	I'm assuming this is a kernel problem, although it may be a gnu
	problem.

	If malloc is called as follows:
		malloc((size_t) 0xffffffff)
	it returns a non-null pointer.  Obviously, free objects to
	freeing this storage, with a:
		Malloc warning: free():junk pointer, too high to make sense
	Thus, something is definately broke here.  The pointer allocated
	in this case has a value of 0x4000.

>How-To-Repeat:

	Compile (with GCC) and run:

	#include <stdlib.h>
	#include <stdio.h>

	int main(void) {
		void * p;
		p = malloc((size_t) 0xffffffff);
		if (p != NULL)
			printf("KERNEL BUG! %p\n", p);
		return 0;
	}

	Other values to try:
		0xffffb001 -> 0xfffff000 (Causes a segmentation fault,
					  inside malloc())
		0xfffff001 -> 0xffffffff (non-null return value)

>Fix:
	
	Don't use malloc.  :)

>Audit-Trail:
>Unformatted: