Date: Thu, 20 Dec 2012 13:19:07 +0100 From: Dimitry Andric <dim@FreeBSD.org> To: Eitan Adler <lists@eitanadler.com> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>, Gabor Kovesdan <gabor@freebsd.org> Subject: Re: use after free in grep? Message-ID: <50D3023B.8090407@FreeBSD.org> In-Reply-To: <CAF6rxg=Ni2Kcgdw2XrSVtU1f9eHaFt1-oBTNv8pm8An52x13nQ@mail.gmail.com> References: <CAF6rxg=Ni2Kcgdw2XrSVtU1f9eHaFt1-oBTNv8pm8An52x13nQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2012-12-20 08:13, Eitan Adler wrote:
> in xrealloc_impl
>
> 338 new_ptr = realloc(ptr, new_size);
> 339 if (new_ptr != NULL)
> 340 {
> 341 hash_table_del(xmalloc_table, ptr);
>
> ^^^ isn't this a use-after-free of ptr?
Yes, realloc does not guarantee the realloc'd space will be at the same
address, so it may free ptr at its discretion. Also, there is a memory
leak if realloc() returns NULL. This is a very usual mistake when using
realloc(). :-)
Probably, the code should do the hash_table_del() before the realloc(),
but I am not sure if hash_table_del() will already free ptr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50D3023B.8090407>