[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Possible bug in the memory chunk management.
|
From: |
Ehud Tenenbaum |
|
Subject: |
Possible bug in the memory chunk management. |
|
Date: |
Sun, 17 Feb 2002 20:12:16 +0200 |
Hey,
We would like to confirm a bug we in 2xs LTD came across.
Problem:
When you allocate a multidimensional array for pointers dynamically
and point these dynamically allocated pointers to also dynamically
allocated variables, then allocation or subsequent variables will
overwrite parts of the first variables.
We attached a Proof-Of-concept code in-order to show
exactly what we mean. After short auditing of the calloc/malloc code
(malloc suffer from same the problem) we think its not bug in there,
we believe the problem is inside of the memory chunk management but
yet we could be wrong.
Work around:
Well there is a work around you need to make the first buffer
to a static one and by that it wont collide.
Should you have any more questions or comments dont hesitate to contact
us:
Ehud Tenenbaum <address@hidden> CTO, Project Manager.
Izik Kotler <address@hidden> Senior Programmer.
Mixter <address@hidden> Senior Programmer.
--
------------
Ehud Tenenbaum
C.T.O & Project Manager
2xs LTD.
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: address@hidden
------------
Have A Safe Day/*
example for the bug.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
char **buf_h;
char **buf_e;
int main() {
int ctr, i;
buf_h = calloc(1, 6);
buf_e = calloc(1, 12);
if ((!buf_h) || (!buf_e))
return -1;
ctr = 0;
for (i = 512; i < 20000; i *= 2) {
ctr++;
buf_h[ctr] = calloc(1, (i * 2));
if (!buf_h[ctr])
perror("buf_h");
memset(buf_h[ctr], 'A', ((i * 2) - 1));
printf("** buf_h (%d) length is %d bytes\n", ctr, strlen(buf_h[ctr]));
}
printf("** buf_h[4] is equal's %d bytes\n", strlen(buf_h[4]));
for (i = 0; i < 6; i++) {
buf_e[i] = calloc(1, 100);
memset(buf_e[i], 0x41, 1);
if (!buf_e[i])
perror("buf_e");
}
printf("** after loop buf[4] is %d\n", strlen(buf_h[4]));
}
/*
example for the bug.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
char *buf_h[6];
char **buf_e;
int main() {
int ctr, i;
buf_e = calloc(1, 12);
if ((!buf_h) || (!buf_e))
return -1;
ctr = 0;
for (i = 512; i < 20000; i *= 2) {
ctr++;
buf_h[ctr] = calloc(1, (i * 2));
if (!buf_h[ctr])
perror("buf_h");
memset(buf_h[ctr], 'A', ((i * 2) - 1));
printf("** buf_h (%d) length is %d bytes\n", ctr, strlen(buf_h[ctr]));
}
printf("** buf_h[4] is equal's %d bytes\n", strlen(buf_h[4]));
for (i = 0; i < 6; i++) {
buf_e[i] = calloc(1, 100);
memset(buf_e[i], 0x41, 1);
if (!buf_e[i])
perror("buf_e");
}
printf("** after loop buf[4] is %d\n", strlen(buf_h[4]));
}
- Possible bug in the memory chunk management.,
Ehud Tenenbaum <=