Date: Thu, 20 Dec 2012 10:34:18 +0100 From: Harald Servat <redcrash@gmail.com> To: Eitan Adler <lists@eitanadler.com> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>, Gabor Kovesdan <gabor@freebsd.org> Subject: Re: use after free in grep? Message-ID: <CAEOTYResCs7Vg9rFNQVvR_905j2LA_yfvXpaBk1vn04GaZNtmw@mail.gmail.com> In-Reply-To: <CAF6rxg=Ni2Kcgdw2XrSVtU1f9eHaFt1-oBTNv8pm8An52x13nQ@mail.gmail.com> References: <CAF6rxg=Ni2Kcgdw2XrSVtU1f9eHaFt1-oBTNv8pm8An52x13nQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Eitan,
ptr is not changed in realloc (although its allocated memory region is
freed). Is it possible that hash_table_del only takes the value of ptr and
removes such an entry from the hash table? While *ptr is not accessed,
that should be fine, shouldn't it?
Regards.
2012/12/20 Eitan Adler <lists@eitanadler.com>
> Hey,
>
> in xrealloc_impl
>
> 338 new_ptr =3D realloc(ptr, new_size);
> 339 if (new_ptr !=3D NULL)
> 340 {
> 341 hash_table_del(xmalloc_table, ptr);
>
> ^^^ isn't this a use-after-free of ptr?
>
> =A77.22.3.5.2 says that ptr is deallocated after the call to realloc.
>
> 342 hash_table_add(xmalloc_table, new_ptr, (int)new_size, file,
> line, func);
> 343 }
>
>
>
> --
> Eitan Adler
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org=
"
--=20
Fry: You can see how I lived before I met you.
Bender: You lived before you met me?!
Fry: Yeah, lots of people did.
Bender: Really?!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEOTYResCs7Vg9rFNQVvR_905j2LA_yfvXpaBk1vn04GaZNtmw>