Next: , Previous: Example 3, Up: Examples

16.4 Using overflow buffers

This example illustrates the use of overflow buffers and so the MPATROL_OPTIONS environment variable should have OFLOWSIZE=2 and CHECK=- added to it. However, turn off any PAGEALLOC options for the purposes of this example. The test is located in tests/fail/test5.c, and tests/fail/test6.c is very similar.

     23  /*
     24   * Allocates a block of 16 bytes and then copies a string of 16
     25   * bytes into the block.  However, the string is copied to 1 byte
     26   * before the allocated block which writes before the start of the
     27   * block.  This test must be run with an OFLOWSIZE greater than 0.
     28   */
     31  #include "mpatrol.h"
     34  int main(void)
     35  {
     36      char *p;
     38      if (p = (char *) malloc(16))
     39      {
     40          strcpy(p - 1, "this test fails!");
     41          free(p);
     42      }
     43      return EXIT_SUCCESS;
     44  }

The following error should be produced in mpatrol.log.

     ERROR: [ALLOVF]: allocation 0x08062FB8 has a corrupted overflow buffer at
             0x08062FB6  AA74                                 .t
         0x08062FB8 (16 bytes) {malloc:52:0} [main|test5.c|38]
             0x0804942F main+31
             0x4007C9CB __libc_start_main+255
             0x08049381 _start+33

Once again, the library attempts to show you as much detail as possible about where the corruption occurred. Along with showing you a memory dump of the overflow buffer that was corrupted, it also shows you the allocation to which the overflow buffer belongs.

Using overflow buffers and the CHECK=- option can reduce the speed of program execution since the library has to check every buffer whenever it is called, and if the buffers are larger then they'll take longer to check and will use up more memory. However, larger buffers mean that there is less chance of the program writing past one memory allocation into another.

Alternatively, the CHECK option can be used to limit the number of checks that the library has to perform, thus speeding up program execution. This option specifies a range of allocation indices through which the library will check overflow buffers and free memory for corruption. Such checks occur when they normally would, but only if the current allocation index falls within the specified range. This feature can be used when there is a suspicion that free memory corruption or overflow buffer corruption occurs at a certain point during program execution, but checking them at every library call would take too long. You can also specify a frequency at which to check the heap using the CHECK option. This can be used when attempting to narrow down the search for where heap corruption occurs.

On systems which support software watch points, there is an extra option called OFLOWWATCH which allows additional memory protection. Watch points allow individual bytes to be read and/or write protected as opposed to just pages. The OFLOWWATCH option installs software watch points at every overflow buffer instead of requiring the library to check the integrity of the overflow buffers, and can be used in combination with PAGEALLOC. However, software watch points slow down program execution to a crawl since every machine instruction must be checked individually by the system to see if it accesses a watch point area. Slowing the program down by a factor of 10,000 is not uncommon on some systems when the OFLOWWATCH option is used.