The C standard doesn't say anything about what happens when you call
realloc with a size argument of 0. Both glibc and openbsd appear to
return a valid pointer to a zero-sized object.. e.g. the return of a
malloc(0).
Does anyone know of a runtime where realloc() free'ed the object and
then returned NULL? If so, it would make the following idiom for
realloc() exploitable. Here's the idiom, snagged from an openbsd man page:
if ((p2 = realloc(p, nsize)) == NULL) {
if (p)
free(p);
p = NULL;
return NULL;
}
p = p2;
You can see that if nsize is 0 and realloc() free'ed the memory and
returned NULL, it would be a double-free of p.
Thanks,
rCs
Jan 9 '07
64  8336 
Richard Tobin wrote:
In article <hb************ **@bombur.uio.n o>,
Hallvard B Furuseth <h.**********@u sit.uio.nowrote :
>The implementation may return NULL when size=0. The above implies
that if it does, realloc(nonnull , 0) frees the object first.
...
>The implementation may try to return a non-NULL object. The above
implies that if it does, a NULL return comes from a realloc failure
and the object has not been freed.
The question is surely whether, on a system that returns NULL for
malloc(0), a realloc(nonnull , 0) may *fail*, in which case it must
return NULL and not free the memory. This seems allowable but
perverse, since how can the system fail in such a case?
The case for malloc(0) is unique and looks like realloc(NULL, 0). In my
view, malloc(0) should return NULL. It makes no sense to return a
pointer to zero bytes of storage. There is no case for
realloc(nonnull ,0) to fail. free() does not have a failure mode.
--
Joe Wright
"Everything should be made as simple as possible, but not simpler."
--- Albert Einstein --- ri*****@cogsci. ed.ac.uk (Richard Tobin) writes:
Hallvard B Furuseth <h.**********@u sit.uio.nowrote :
>>The implementation may return NULL when size=0. The above implies
that if it does, realloc(nonnull , 0) frees the object first.
...
>>The implementation may try to return a non-NULL object. The above
implies that if it does, a NULL return comes from a realloc failure
and the object has not been freed.
The question is surely whether, on a system that returns NULL for
malloc(0), a realloc(nonnull , 0) may *fail*,
No. If realloc(nonnull , 0) attempts to return non-NULL, presumably
malloc(0) attemts the same - though I don't see that the standard
requires that.
--
Regards,
Hallvard
In article <hb************ *@bombur.uio.no >,
Hallvard B Furuseth <h.**********@u sit.uio.nowrote :
>The question is surely whether, on a system that returns NULL for
malloc(0), a realloc(nonnull , 0) may *fail*,
>No. If realloc(nonnull , 0) attempts to return non-NULL, presumably
malloc(0) attemts the same - though I don't see that the standard
requires that.
I was considering the case where both malloc() and realloc() return
NULL for zero bytes, but where - somehow - realloc(nonnull , 0) could
fail. In that case, realloc(nonnull , 0) would return NULL both
when it fails and succeeds, but when it fails the memory would not
have been freed.
Obviously it's absurd for realloc() to fail in that case, but I don't
know that the standard prohibits it.
-- Richard
--
"Considerat ion shall be given to the need for as many as 32 characters
in some alphabets" - X3.4, 1963.
Hallvard B Furuseth wrote:
Kenneth Brody writes:
The source to the runtime library I have here has this note:
(snip; although there are extra >s in the row before, there doesn't
seem to be an attribution line for them)
* (2) realloc(pblock, 0) is equivalent to free(pblock) (except that
* NULL is returned)
C89 4.10.3.4 says "If size is zero and ptr is not a null pointer, the
object it points to is freed." The clause has been deleted from C99.
In the context of C89/C90, what is the return value of
realloc(nonnull ,0) and of realloc(0,0)? I've seen too many incorrect
compiler manuals to know truth from fiction about this, so I'd
appreciate C&V.
--
ais523 ri*****@cogsci. ed.ac.uk (Richard Tobin) writes:
Hallvard B Furuseth <h.**********@u sit.uio.nowrote :
>>The question is surely whether, on a system that returns NULL for
malloc(0), a realloc(nonnull , 0) may *fail*,
>>No. If realloc(nonnull , 0) attempts to return non-NULL, presumably
malloc(0) attemts the same - though I don't see that the standard
requires that.
I was considering the case where both malloc() and realloc() return
NULL for zero bytes, but where - somehow - realloc(nonnull , 0) could
fail.
Yes, and that is _not_ what I was asking about. What I'm talking about
is: When realloc(nonnull , 0) has returned NULL, can the caller know
whether or not the object has been freed - when the caller doesn't know
whether or not the implementation always returns NULL from
realloc(nonnull , 0) (and malloc(0))?
--
Regards,
Hallvard
In article <hb************ **@bombur.uio.n o>,
Hallvard B Furuseth <h.**********@u sit.uio.nowrote :
>Yes, and that is _not_ what I was asking about. What I'm talking about
is: When realloc(nonnull , 0) has returned NULL, can the caller know
whether or not the object has been freed - when the caller doesn't know
whether or not the implementation always returns NULL from
realloc(nonnul l, 0) (and malloc(0))?
No. But again a good implementation would never fail for a realloc of
zero bytes: even if it would normally try to allocate a small block,
it can always succeed by returning the original nonnull value.
-- Richard
--
"Considerat ion shall be given to the need for as many as 32 characters
in some alphabets" - X3.4, 1963.
I think I can answer my own question now:
Does anyone know of a runtime where realloc() free'ed the object and
then returned NULL?
The following code:
char *p2;
char *p = malloc(100);
size_t nsize = 0;
if ((p2 = realloc(p, nsize)) == NULL) {
if (p) free(p);
p = NULL;
return NULL;
}
p = p2;
Compiled with Visual Studio Version 7, blows up on the call to free().
This is because realloc() returns NULL, suggesting that the realloc()
failed and the memory needs to be freed (but presumably already has).
As far as I can tell, this behavior is allowed by the standard.
I tried to write this up as the second example of MEM36-C at: https://www.securecoding.cert.org/co...cating+0+bytes
I listed the following code as a compliant solution:
char *p2;
char *p = malloc(100);
....
if ( (nsize == 0) || (p2 = realloc(p, nsize)) == NULL) {
if (p) free(p);
p = NULL;
return NULL;
}
p = p2;
Please let me know if any of this is incorrect.
rCs
ais523 writes:
In the context of C89/C90, what is the return value of
realloc(nonnull ,0)
NULL. The object is freed.
Last quoted sentence before Returns (only applies when arg!=NULL).
and of realloc(0,0)?
NULL or a new object.
First quoted sentence in 4.10.3.4, plus 4.10.3.
I've seen too many incorrect compiler manuals to know truth from
fiction about this, so I'd appreciate C&V.
ANSI C (equivalent to C89):
4.10.3 (Memory management functions):
If the size of the space requested is zero, the behavior is
implementation-defined; the value returned shall be either a null
pointer or a unique pointer.
4.10.3.4 (The realloc function):
If ptr is a null pointer, the realloc function behaves like the
malloc function for the specified size. (...) If the space cannot
be allocated, the object pointed to by ptr is unchanged. If size is
zero and ptr is not a null pointer, the object it points to is freed.
Returns
The realloc function returns either a null pointer or a pointer to
the possibly moved allocated space.
--
Hallvard
Hallvard B Furuseth wrote:
ais523 writes:
>In the context of C89/C90, what is the return value of
realloc(nonnul l,0)
NULL. The object is freed.
Last quoted sentence before Returns (only applies when arg!=NULL).
>and of realloc(0,0)?
NULL or a new object.
First quoted sentence in 4.10.3.4, plus 4.10.3.
>I've seen too many incorrect compiler manuals to know truth from
fiction about this, so I'd appreciate C&V.
ANSI C (equivalent to C89):
4.10.3 (Memory management functions):
If the size of the space requested is zero, the behavior is
implementation-defined; the value returned shall be either a
null pointer or a unique pointer.
4.10.3.4 (The realloc function):
If ptr is a null pointer, the realloc function behaves like
the malloc function for the specified size. (...) If the
space cannot be allocated, the object pointed to by ptr is
unchanged. If size is zero and ptr is not a null pointer,
the object it points to is freed.
Returns
The realloc function returns either a null pointer or a
pointer to the possibly moved allocated space.
Which means that proper use of the realloc function, with:
if (tmp = realloc(p, size)) p = tmp;
else {
/* failure, take corrective action */
}
will fall into corrective action for a size of 0, and leave an
invalid value of p hanging about, which may well go BOOM on
eventual use (including free). Thus good implementations will not
return NULL for successful malloc/realloc/calloc of zero sizes.
--
Chuck F (cbfalconer at maineline dot net)
Available for consulting/temporary embedded and systems.
<http://cbfalconer.home .att.net>
"Hallvard B Furuseth" <h.**********@u sit.uio.nowrote in message
news:hb******** ******@bombur.u io.no...
If realloc(nonnull , 0) returns NULL, has the object been freed?
No. realloc returns a null pointer (only) if the new object could
not be allocated, and if memory for the new object cannot be
allocated, the old objct is not deallocated and its value is unchanged.
Thats directly from the realloc spec (C99 7.20.3.4). This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: dagger |
last post by:
Hi there. I'm using C under FreeBSD with the gcc compiler and am having a
bit of trouble using the calloc and realloc calls.
As an example the code snippet:
#include <stdio.h>
int main() {
char *ptr;
|
by: Marlene Stebbins |
last post by:
The bigint struct defines a big integer and represents it as a string of
characters:
typedef struct bigint {
int sign;
int size;
int initflag;
char *number;
} bigint;
|
by: Walter Roberson |
last post by:
If realloc() finds it necessary to move the memory block, then
does it free() the previously allocated block?
The C89 standard has some reference to undefined behaviour if one
realloc()'s memory that was freed by realloc(), but the only way
explicitly mentioned in the C89 standard to free memory via realloc()
is to realloc() it down to 0 bytes.
I had always assumed it would automatically free the previous memory,
but is the behaviour...
|
by: James S. Singleton |
last post by:
Thanks everybody for your replies. I gather that:
a) How to obtain the size of the memory region pointed to by ptr in
realloc(ptr, size) is implementation-dependent.
b) Implementing realloc(ptr, size) using malloc(), memcpy() and free()
alone, without knowing the size of the memory region pointed to by ptr, is
just not possible.
|
by: Francois Grieu |
last post by:
When running the following code under MinGW, I get
realloc(p,0) returned NULL
Is that a non-conformance?
TIA,
Francois Grieu
#include <stdio.h>
#include <stdlib.h>
| | |
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
| | |
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
