Fix a bug where free()ing an already-free block, or even a block that looked

like it might have already been freed, would cause a crash because of a bad pointer dereference. Pointed out by Brian Noble <bnoble@cs.cmu.edu>.
1996-06-06 19:13:32 +00:00 · 1996-06-06 19:13:32 +00:00 · 57b8bdb5c3
commit 57b8bdb5c3
parent 0d3d973470
1 changed files with 3 additions and 2 deletions
--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_malloc.c,v 1.15 1996/03/16 23:17:06 christos Exp $	*/
+/*	$NetBSD: kern_malloc.c,v 1.16 1996/06/06 19:13:32 cgd Exp $	*/

 /*
 * Copyright (c) 1987, 1991, 1993
@ -315,7 +315,8 @@ free(addr, type)
 	 * it looks free before laboriously searching the freelist.
 	 */
 	if (freep->spare0 == WEIRD_ADDR) {
-		for (cp = kbp->kb_next; cp; cp = *(caddr_t *)cp) {
+		for (cp = kbp->kb_next; cp;
+		    cp = ((struct freelist *)cp)->next) {
 			if (addr != cp)
 				continue;
 			printf("multiply freed item %p\n", addr);