I'm currently learning heap exploitation and overflows. But currently i'm stuck with some issue. I'm using glibc v2.19 , when i try to examine the heap memory with gdb.
Here is the code that i'm using.
char *p;
p = malloc(20);
strcpy(p,"AAAAAAAA");
free(p);
This is the gdb output for the allocated chunck.
(gdb) x/4xw 0x0804b008-8
0x804b000: 0x00000000 0x00000019 0x41414141 0x41414141
This is the gdb output for the unallocated chunck.
(gdb) x/4xw 0x0804b008-8
0x804b000: 0x00000000 0x00000019 0x00000000 0x41414141
I can see that the size field do not change after deallocation, so how this could be and how the allocator know that is this a free chunck or not? because as i know the first 3 bits of the size is used as status flags.
Why the next pointer "0x0000000" is not pointering any where ?
And why the pointer to prevoius chunck "0x41414141" is not used?
And how in this situation the allocator looks for free chuncks?
i also have tried to free two continious chuncks and after i freed the second one the prevoius size field which should be used as the size of the prevoius free chunk is not also used it is just zerod.
User contributions licensed under CC BY-SA 3.0