use after free in grep?
Harald Servat
redcrash at gmail.com
Thu Dec 20 09:34:20 UTC 2012
Hello Eitan,
ptr is not changed in realloc (although its allocated memory region is
freed). Is it possible that hash_table_del only takes the value of ptr and
removes such an entry from the hash table? While *ptr is not accessed,
that should be fine, shouldn't it?
Regards.
2012/12/20 Eitan Adler <lists at eitanadler.com>
> Hey,
>
> in xrealloc_impl
>
> 338 new_ptr = realloc(ptr, new_size);
> 339 if (new_ptr != NULL)
> 340 {
> 341 hash_table_del(xmalloc_table, ptr);
>
> ^^^ isn't this a use-after-free of ptr?
>
> §7.22.3.5.2 says that ptr is deallocated after the call to realloc.
>
> 342 hash_table_add(xmalloc_table, new_ptr, (int)new_size, file,
> line, func);
> 343 }
>
>
>
> --
> Eitan Adler
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
--
Fry: You can see how I lived before I met you.
Bender: You lived before you met me?!
Fry: Yeah, lots of people did.
Bender: Really?!
More information about the freebsd-hackers
mailing list