You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by gn...@apache.org on 2020/06/29 23:10:38 UTC
[incubator-nuttx] 01/02: mm: Do not memcopy more than oldsize when
realloc
This is an automated email from the ASF dual-hosted git repository.
gnutt pushed a commit to branch releases/9.1
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit 3b1dca8167d8abc22a7e0c71759bfc560c4e71c5
Author: Brennan Ashton <ba...@brennanashton.com>
AuthorDate: Sun Jun 28 11:57:38 2020 -0700
mm: Do not memcopy more than oldsize when realloc
When realloc up from a mem area to a larger one where a new node
is needed. The the larger memory region is copied from the source
this can both leak data as well as cause memory faults accesssing
invalid data.
This was first reported by Kwonsk
Signed-off-by: Brennan Ashton <ba...@brennanashton.com>
---
mm/mm_heap/mm_realloc.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/mm/mm_heap/mm_realloc.c b/mm/mm_heap/mm_realloc.c
index 8b983b0..1f83ee7 100644
--- a/mm/mm_heap/mm_realloc.c
+++ b/mm/mm_heap/mm_realloc.c
@@ -270,17 +270,17 @@ FAR void *mm_realloc(FAR struct mm_heap_s *heap, FAR void *oldmem,
(next->preceding & MM_ALLOC_BIT);
}
- /* Now we want to return newnode */
-
- oldnode = newnode;
- oldsize = newnode->size;
-
/* Now we have to move the user contents 'down' in memory. memcpy
* should be safe for this.
*/
newmem = (FAR void *)((FAR char *)newnode + SIZEOF_MM_ALLOCNODE);
memcpy(newmem, oldmem, oldsize - SIZEOF_MM_ALLOCNODE);
+
+ /* Now we want to return newnode */
+
+ oldnode = newnode;
+ oldsize = newnode->size;
}
/* Extend into the next free chunk */