diff options
author | Yossi Gottlieb <yossigo@gmail.com> | 2020-10-26 14:49:08 +0200 |
---|---|---|
committer | Oran Agra <oran@redislabs.com> | 2020-10-27 08:49:22 +0200 |
commit | 3cf3beff2c339f3ceaff70e5c225aa9c2ad6f8d0 (patch) | |
tree | 6efbef51555e1bfe317587ee5e54159ed4949c14 | |
parent | 54eb66495f1e11ca2018579cdc37e3a747b00c72 (diff) | |
download | redis-3cf3beff2c339f3ceaff70e5c225aa9c2ad6f8d0.tar.gz |
Fix wrong zmalloc_size() assumption. (#7963)
When using a system with no malloc_usable_size(), zmalloc_size() assumed
that the heap allocator always returns blocks that are long-padded.
This may not always be the case, and will result with zmalloc_size()
returning a size that is bigger than allocated. At least in one case
this leads to out of bound write, process crash and a potential security
vulnerability.
Effectively this does not affect the vast majority of users, who use
jemalloc or glibc.
This problem along with a (different) fix was reported by Drew DeVault.
(cherry picked from commit 9824fe3e392caa04dc1b4071886e9ac402dd6d95)
(cherry picked from commit ce0d74d8fdff55d07929f562ec9acf2d00caf893)
-rw-r--r-- | src/zmalloc.c | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/src/zmalloc.c b/src/zmalloc.c index dd655620c..972db79d7 100644 --- a/src/zmalloc.c +++ b/src/zmalloc.c @@ -177,9 +177,6 @@ void *zrealloc(void *ptr, size_t size) { size_t zmalloc_size(void *ptr) { void *realptr = (char*)ptr-PREFIX_SIZE; size_t size = *((size_t*)realptr); - /* Assume at least that all the allocations are padded at sizeof(long) by - * the underlying allocator. */ - if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1)); return size+PREFIX_SIZE; } size_t zmalloc_usable(void *ptr) { |