realloc零字节? [英] realloc zero bytes?
问题描述
C标准没有说明当你用尺寸参数为0调用
realloc时会发生什么。glibc和openbsd似乎都是
返回一个指向零大小对象的有效指针。例如返回一个
malloc(0)。
有没有人知道运行时realloc()free''ed对象和
然后返回NULL?如果是这样,它将使以下成语为
realloc()可利用。这是成语,来自openbsd手册页:
if((p2 = realloc(p,nsize))== NULL){
如果(p)
free(p);
p = NULL;
返回NULL;
}
p = p2;
你可以看到,如果nsize是0并且realloc()free''的内存和
返回NULL,它将是一个双倍的p。
谢谢,
rCs
Robert Seacord< rc*@sei.cmu.eduwrote:
>
C标准没有当你用尺寸参数为0调用
realloc时会发生什么事情.Glibc和openbsd似乎都是
返回一个指向零大小对象的有效指针..例如返回一个
malloc(0)。
有没有人知道运行时realloc()free''ed对象和
然后返回NULL?如果是这样,它将使以下成语为
realloc()可利用。这是成语,来自openbsd手册页:
标准(C99)说:
7.20.3.4-3
" ...如果无法分配新对象的内存,则旧对象
未取消分配,其值不变。
另外:
7.20.3.4-4
" realloc函数返回一个指向新对象的指针(可能是
具有与指向旧对象的指针相同的值,或者如果无法分配新对象,则为空指针
。
if((p2 = realloc(p,nsize))== NULL){
if(p)
free(p);
如果realloc失败,则p保留其旧值。如果当你将
传递给realloc时p为NULL,你就已经知道它是NULL并且你不想免费
它。
< blockquote class =post_quotes>
p = NULL;
返回NULL;
}
p = p2;
你可以看到,如果nsize是0并且realloc()free''内存并且
返回NULL,那么它将是p的两倍。
Realloc不会释放内存并返回NULL,因为标准说
它没有。
-
Ioan - Ciprian Tandau
tandau _at_ freeshell _dot_ org(希望现在还不算太晚)
(。 ..它仍然有效......)
Nelu写道:
Robert Seacord< rc *@sei.cmu.eduwrote:
>> C标准没有说明当你打电话时发生的事情> realloc的大小参数为0. glibc和openbsd似乎都返回一个指向零大小对象的有效指针。例如返回一个
malloc(0)。
有没有人知道运行时realloc()free''ed对象然后
然后返回NULL?如果是这样,它将使以下习惯用于
realloc()可利用。这是成语,来自openbsd手册页:
标准(C99)说:
7.20 .3.4-3
" ...如果无法分配新对象的内存,则旧对象将被取消分配,并且其值不变。
另外:
7.20.3.4-4
" realloc函数返回一个指向新对象的指针(可能是
与指向旧对象的指针具有相同的值,或者如果无法分配新对象,则为空指针
。
但是如果大小为0,那么分配内存就不会有任何问题,所以
将不会分配任何东西,现有内存将被释放。
>
Realloc不会释放内存并返回NULL,因为标准说
它没有。
当然它可以释放内存并返回指向零大小块的指针。
-
Ian Collins。
Ian Collins< ia ****** @ hotmail.comwrote:
Nelu写道:
> Robert Seacord< rc*@sei.cmu.eduwrote:
>>> C标准没有说明当你用尺寸参数为0调用
realloc时会发生什么。无论是glibc还是openbsd似乎
返回一个指向零大小对象的有效指针。例如返回一个
malloc(0)。
有没有人知道运行时realloc()free''ed对象然后
然后返回NULL?如果是这样,它将使以下习惯用于
realloc()可利用。这是成语,来自openbsd手册页:
标准(C99)说:
7.20.3.4-3
...如果无法分配新对象的内存,则不会取消分配旧对象,并且其值不变。
另外:
7.20.3.4-4
" realloc函数返回一个指向新对象的指针(可能与指向旧对象的指针具有相同的值),或者如果新对象不能指定则返回空指针
已分配。
但如果大小为0,那么分配内存就不会有任何问题,所以
什么都不会已分配并释放现有内存。
它将返回一个不为NULL且p2 == NULL的有效指针
将为false。
< blockquote class =post_quotes>
>>
Realloc不会释放内存并返回NULL,因为标准说明了
它没有。
当然它可以释放内存并返回指向零大小块的指针。
有效指针'不是NULL。
-
Ioan - Ciprian Tandau
tandau _at_ freeshell _dot_ org(希望它还不算太晚)
(......它仍然有效......)
The C standard doesn''t say anything about what happens when you call
realloc with a size argument of 0. Both glibc and openbsd appear to
return a valid pointer to a zero-sized object.. e.g. the return of a
malloc(0).
Does anyone know of a runtime where realloc() free''ed the object and
then returned NULL? If so, it would make the following idiom for
realloc() exploitable. Here''s the idiom, snagged from an openbsd man page:
if ((p2 = realloc(p, nsize)) == NULL) {
if (p)
free(p);
p = NULL;
return NULL;
}
p = p2;
You can see that if nsize is 0 and realloc() free''ed the memory and
returned NULL, it would be a double-free of p.
Thanks,
rCs
Robert Seacord <rc*@sei.cmu.eduwrote:>
The C standard doesn''t say anything about what happens when you call
realloc with a size argument of 0. Both glibc and openbsd appear to
return a valid pointer to a zero-sized object.. e.g. the return of a
malloc(0).
Does anyone know of a runtime where realloc() free''ed the object and
then returned NULL? If so, it would make the following idiom for
realloc() exploitable. Here''s the idiom, snagged from an openbsd man page:
The standard (C99) says:
7.20.3.4-3
"... If memory for the new object cannot be allocated, the old object is
not deallocated and its value is unchanged.".
Also:
7.20.3.4-4
"The realloc function returns a pointer to the new object (which may
have the same value as a pointer to the old object), or a null pointer
if the new object could not be allocated."
if ((p2 = realloc(p, nsize)) == NULL) {
if (p)
free(p);If realloc fails then p retains its old value. If p is NULL when you
pass it to realloc you already know it''s NULL and you don''t want to free
it.
p = NULL;
return NULL;
}
p = p2;
You can see that if nsize is 0 and realloc() free''ed the memory and
returned NULL, it would be a double-free of p.Realloc won''t free the memory and return NULL because the standard says
it doesn''t.
--
Ioan - Ciprian Tandau
tandau _at_ freeshell _dot_ org (hope it''s not too late)
(... and that it still works...)
Nelu wrote:Robert Seacord <rc*@sei.cmu.eduwrote:
>>The C standard doesn''t say anything about what happens when you call
realloc with a size argument of 0. Both glibc and openbsd appear to
return a valid pointer to a zero-sized object.. e.g. the return of a
malloc(0).
Does anyone know of a runtime where realloc() free''ed the object and
then returned NULL? If so, it would make the following idiom for
realloc() exploitable. Here''s the idiom, snagged from an openbsd man page:
The standard (C99) says:
7.20.3.4-3
"... If memory for the new object cannot be allocated, the old object is
not deallocated and its value is unchanged.".
Also:
7.20.3.4-4
"The realloc function returns a pointer to the new object (which may
have the same value as a pointer to the old object), or a null pointer
if the new object could not be allocated."
But if size is 0, there won''t be any problems allocating he memory, so
nothing will be allocated and the existing memory will be freed.>
Realloc won''t free the memory and return NULL because the standard says
it doesn''t.
Surely it may free the memory and return a pointer to a zero sized block.
--
Ian Collins.
Ian Collins <ia******@hotmail.comwrote:Nelu wrote:>Robert Seacord <rc*@sei.cmu.eduwrote:
>>>The C standard doesn''t say anything about what happens when you call
realloc with a size argument of 0. Both glibc and openbsd appear to
return a valid pointer to a zero-sized object.. e.g. the return of a
malloc(0).
Does anyone know of a runtime where realloc() free''ed the object and
then returned NULL? If so, it would make the following idiom for
realloc() exploitable. Here''s the idiom, snagged from an openbsd man page:
The standard (C99) says:
7.20.3.4-3
"... If memory for the new object cannot be allocated, the old object is
not deallocated and its value is unchanged.".
Also:
7.20.3.4-4
"The realloc function returns a pointer to the new object (which may
have the same value as a pointer to the old object), or a null pointer
if the new object could not be allocated."
But if size is 0, there won''t be any problems allocating he memory, so
nothing will be allocated and the existing memory will be freed.And it will return a valid pointer that will not be NULL and p2==NULL
will be false.
>>
Realloc won''t free the memory and return NULL because the standard says
it doesn''t.
Surely it may free the memory and return a pointer to a zero sized block.
A valid pointer that''s not NULL.
--
Ioan - Ciprian Tandau
tandau _at_ freeshell _dot_ org (hope it''s not too late)
(... and that it still works...)
这篇关于realloc零字节?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
