1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
/*++
/* NAME
/* mymalloc 3
/* SUMMARY
/* memory management wrappers
/* SYNOPSIS
/* #include <mymalloc.h>
/*
/* void *mymalloc(len)
/* ssize_t len;
/*
/* void *myrealloc(ptr, len)
/* void *ptr;
/* ssize_t len;
/*
/* void myfree(ptr)
/* void *ptr;
/*
/* char *mystrdup(str)
/* const char *str;
/*
/* char *mystrndup(str, len)
/* const char *str;
/* ssize_t len;
/*
/* char *mymemdup(ptr, len)
/* const char *ptr;
/* ssize_t len;
/* DESCRIPTION
/* This module performs low-level memory management with error
/* handling. A call of these functions either succeeds or it does
/* not return at all.
/*
/* To save memory, zero-length strings are shared and read-only.
/* The caller must not attempt to modify the null terminator.
/* This code is enabled unless NO_SHARED_EMPTY_STRINGS is
/* defined at compile time (for example, you have an sscanf()
/* routine that pushes characters back into its input).
/*
/* mymalloc() allocates the requested amount of memory. The memory
/* is not set to zero.
/*
/* myrealloc() resizes memory obtained from mymalloc() or myrealloc()
/* to the requested size. The result pointer value may differ from
/* that given via the \fIptr\fR argument.
/*
/* myfree() takes memory obtained from mymalloc() or myrealloc()
/* and makes it available for other use.
/*
/* mystrdup() returns a dynamic-memory copy of its null-terminated
/* argument. This routine uses mymalloc().
/*
/* mystrndup() returns a dynamic-memory copy of at most \fIlen\fR
/* leading characters of its null-terminated
/* argument. The result is null-terminated. This routine uses mymalloc().
/*
/* mymemdup() makes a copy of the memory pointed to by \fIptr\fR
/* with length \fIlen\fR. The result is NOT null-terminated.
/* This routine uses mymalloc().
/* SEE ALSO
/* msg(3) diagnostics interface
/* DIAGNOSTICS
/* Problems are reported via the msg(3) diagnostics routines:
/* the requested amount of memory is not available; improper use
/* is detected; other fatal errors.
/* LICENSE
/* .ad
/* .fi
/* The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*
/* Wietse Venema
/* Google, Inc.
/* 111 8th Avenue
/* New York, NY 10011, USA
/*--*/
/* System libraries. */
#include "sys_defs.h"
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
/* Application-specific. */
#include "msg.h"
#include "mymalloc.h"
/*
* Structure of an annotated memory block. In order to detect spurious
* free() calls we prepend a signature to memory given to the application.
* In order to detect access to free()d blocks, overwrite each block as soon
* as it is passed to myfree(). With the code below, the user data has
* integer alignment or better.
*/
typedef struct MBLOCK {
int signature; /* set when block is active */
ssize_t length; /* user requested length */
union {
ALIGN_TYPE align;
char payload[1]; /* actually a bunch of bytes */
} u;
} MBLOCK;
#define SIGNATURE 0xdead
#define FILLER 0xff
#define CHECK_IN_PTR(ptr, real_ptr, len, fname) { \
if (ptr == 0) \
msg_panic("%s: null pointer input", fname); \
real_ptr = (MBLOCK *) (ptr - offsetof(MBLOCK, u.payload[0])); \
if (real_ptr->signature != SIGNATURE) \
msg_panic("%s: corrupt or unallocated memory block", fname); \
real_ptr->signature = 0; \
if ((len = real_ptr->length) < 1) \
msg_panic("%s: corrupt memory block length", fname); \
}
#define CHECK_OUT_PTR(ptr, real_ptr, len) { \
real_ptr->signature = SIGNATURE; \
real_ptr->length = len; \
ptr = real_ptr->u.payload; \
}
#define SPACE_FOR(len) (offsetof(MBLOCK, u.payload[0]) + len)
/*
* Optimization for short strings. We share one copy with multiple callers.
* This differs from normal heap memory in two ways, because the memory is
* shared:
*
* - It must be read-only to avoid horrible bugs. This is OK because there is
* no legitimate reason to modify the null terminator.
*
* - myfree() cannot overwrite the memory with a filler pattern like it can do
* with heap memory. Therefore, some dangling pointer bugs will be masked.
*/
#ifndef NO_SHARED_EMPTY_STRINGS
static const char empty_string[] = "";
#endif
/* mymalloc - allocate memory or bust */
void *mymalloc(ssize_t len)
{
void *ptr;
MBLOCK *real_ptr;
/*
* Note: for safety reasons the request length is a signed type. This
* allows us to catch integer overflow problems that weren't already
* caught up-stream.
*/
if (len < 1)
msg_panic("mymalloc: requested length %ld", (long) len);
#ifdef MYMALLOC_FUZZ
len += MYMALLOC_FUZZ;
#endif
if ((real_ptr = (MBLOCK *) malloc(SPACE_FOR(len))) == 0)
msg_fatal("mymalloc: insufficient memory for %ld bytes: %m",
(long) len);
CHECK_OUT_PTR(ptr, real_ptr, len);
memset(ptr, FILLER, len);
return (ptr);
}
/* myrealloc - reallocate memory or bust */
void *myrealloc(void *ptr, ssize_t len)
{
MBLOCK *real_ptr;
ssize_t old_len;
#ifndef NO_SHARED_EMPTY_STRINGS
if (ptr == empty_string)
return (mymalloc(len));
#endif
/*
* Note: for safety reasons the request length is a signed type. This
* allows us to catch integer overflow problems that weren't already
* caught up-stream.
*/
if (len < 1)
msg_panic("myrealloc: requested length %ld", (long) len);
#ifdef MYMALLOC_FUZZ
len += MYMALLOC_FUZZ;
#endif
CHECK_IN_PTR(ptr, real_ptr, old_len, "myrealloc");
if ((real_ptr = (MBLOCK *) realloc((void *) real_ptr, SPACE_FOR(len))) == 0)
msg_fatal("myrealloc: insufficient memory for %ld bytes: %m",
(long) len);
CHECK_OUT_PTR(ptr, real_ptr, len);
if (len > old_len)
memset(ptr + old_len, FILLER, len - old_len);
return (ptr);
}
/* myfree - release memory */
void myfree(void *ptr)
{
MBLOCK *real_ptr;
ssize_t len;
#ifndef NO_SHARED_EMPTY_STRINGS
if (ptr != empty_string) {
#endif
CHECK_IN_PTR(ptr, real_ptr, len, "myfree");
memset((void *) real_ptr, FILLER, SPACE_FOR(len));
free((void *) real_ptr);
#ifndef NO_SHARED_EMPTY_STRINGS
}
#endif
}
/* mystrdup - save string to heap */
char *mystrdup(const char *str)
{
size_t len;
if (str == 0)
msg_panic("mystrdup: null pointer argument");
#ifndef NO_SHARED_EMPTY_STRINGS
if (*str == 0)
return ((char *) empty_string);
#endif
if ((len = strlen(str) + 1) > SSIZE_T_MAX)
msg_panic("mystrdup: string length >= SSIZE_T_MAX");
return (memcpy(mymalloc(len), str, len));
}
/* mystrndup - save substring to heap */
char *mystrndup(const char *str, ssize_t len)
{
char *result;
char *cp;
if (str == 0)
msg_panic("mystrndup: null pointer argument");
if (len < 0)
msg_panic("mystrndup: requested length %ld", (long) len);
#ifndef NO_SHARED_EMPTY_STRINGS
if (*str == 0)
return ((char *) empty_string);
#endif
if ((cp = memchr(str, 0, len)) != 0)
len = cp - str;
result = memcpy(mymalloc(len + 1), str, len);
result[len] = 0;
return (result);
}
/* mymemdup - copy memory */
char *mymemdup(const void *ptr, ssize_t len)
{
if (ptr == 0)
msg_panic("mymemdup: null pointer argument");
return (memcpy(mymalloc(len), ptr, len));
}
|