mm: Do not memcopy more than oldsize when realloc

When realloc up from a mem area to a larger one where a new node
is needed. The the larger memory region is copied from the source
this can both leak data as well as cause memory faults accesssing
invalid data.

This was first reported by Kwonsk

Signed-off-by: Brennan Ashton <bashton@brennanashton.com>
This commit is contained in:
Brennan Ashton 2020-06-28 11:57:38 -07:00
parent b296adc3bb
commit fcd6e1c7eb

View file

@ -270,17 +270,17 @@ FAR void *mm_realloc(FAR struct mm_heap_s *heap, FAR void *oldmem,
(next->preceding & MM_ALLOC_BIT);
}
/* Now we want to return newnode */
oldnode = newnode;
oldsize = newnode->size;
/* Now we have to move the user contents 'down' in memory. memcpy
* should be safe for this.
*/
newmem = (FAR void *)((FAR char *)newnode + SIZEOF_MM_ALLOCNODE);
memcpy(newmem, oldmem, oldsize - SIZEOF_MM_ALLOCNODE);
/* Now we want to return newnode */
oldnode = newnode;
oldsize = newnode->size;
}
/* Extend into the next free chunk */