Results 1 to 7 of 7

Thread: Interesting thing about heap allocation in C Share/Save - My123World.Com!

  1. #1
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1

    Interesting thing about heap allocation in C

    This is the code...
    Code:
    #include<stdio.h>
    #include<stdlib.h>
    #include<string.h>
    main(int argc,char **argv)
    {
    int *ptr1,*ptr2,*ptr3;
    int size1,size2,size3;
    size1=atoi(argv[1]);
    size2=atoi(argv[2]);
    size3=atoi(argv[3]);
    ptr1=(int *)malloc(size1);
    ptr2=(int *)malloc(size2);
    ptr3=(int *)malloc(size3);
    *ptr1=*ptr2=10;
    printf("[ptr1] @ %p contains %d\n",ptr1,*ptr1);
    printf("[ptr2] @ %p contains %d\n",ptr2,*ptr2);
    
    //free(ptr2);
    free(ptr1);
    printf("Freed ptr1 \n");
    ptr3=(int *)malloc(size3);
    *ptr3=20;
    printf("[ptr3] @ %p contains %d\n",ptr3,*ptr3);
    
    }
    After i run it like this...
    Code:
    $ ./heap_test 40 100 100
    [ptr1] @ 0x93b8008 contains 10
    [ptr2] @ 0x93b8038 contains 10
    Freed ptr1 
    [ptr3] @ 0x93b8108 contains 20
    After freeing ptr1, the ptr3 starts at a higher memory location than ptr2 (heap grows upward in memory from lower address to higher address)

    After running it like this
    Code:
    $ ./heap_test 50 100 10
    [ptr1] @ 0x8cf5008 contains 10
    [ptr2] @ 0x8cf5040 contains 10
    Freed ptr1 
    [ptr3] @ 0x8cf50b8 contains 20
    After freeing ptr1, the ptr3 starts at a higher memory location than ptr2 eventhough it could have started at the location where ptr1 pointed to at first before being deallocated

    After bruteforcing for some time...Now if i run the code like this...
    Code:
    $ ./heap_test 69 100 10
    [ptr1] @ 0x9b5a008 contains 10
    [ptr2] @ 0x9b5a058 contains 10
    Freed ptr1 
    [ptr3] @ 0x9b5a008 contains 20
    After freeing ptr1, the ptr3 starts at a higher memory location tat is the same as that pointed to by ptr1 before getting deallocated...

    Hope u can sum up the heap allocation.. also 69 is the lowest value ie after 69 if the ptr3 allocation size is less than the deallocated size of ptr1, then it gets allocated at the location pointed to by ptr1 (before getting deallocated)...Dunno its significance , thought of sharing nevertheless...

  2. #2
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    It will be great if you will elaborate it in simple language....
    actually,
    To Be Frank I got only 20% of your post

  3. #3
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by 41.w4r10r View Post
    It will be great if you will elaborate it in simple language....
    actually,
    To Be Frank I got only 20% of your post
    sry abt tat... Anyways, we are allocating 3 ptrs on the heap section namely ptr1,ptr2,ptr3. And then we are deallocating ptr1 and then again reallocating ptr3 after freeing ptr1. So after freeing ptr1, we have a free space between the start of the heap and the start of address pointed to by ptr2. But only if the size of allocation for ptr1 >=69 and the size of allocation of ptr3 < the size of allocation for ptr1, then the newly allocated ptr3 is stored at the freed space of ptr1, else it is stored after ptr2. Hope this helps...

  4. #4
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Quote Originally Posted by sebas_phoenix View Post
    sry abt tat... Anyways, we are allocating 3 ptrs on the heap section namely ptr1,ptr2,ptr3. And then we are deallocating ptr1 and then again reallocating ptr3 after freeing ptr1. So after freeing ptr1, we have a free space between the start of the heap and the start of address pointed to by ptr2. But only if the size of allocation for ptr1 >=69 and the size of allocation of ptr3 < the size of allocation for ptr1, then the newly allocated ptr3 is stored at the freed space of ptr1, else it is stored after ptr2. Hope this helps...
    Thanks,
    Got your point 100% now...

  5. #5
    Namaste

    The study of heap behaviors is another branch of computer science. You can write a full epic on it.

    The behavior that gives us a little control over the heap dynamically is that whenever you'll allocate a huge object and then destruct it, then the smaller object will be allocated at its place. This behavior is used in exploiting certain heap based bugs.

    We use this technique in heap spray to control the spray area..."vinnu"

  6. #6
    Garage Member
    Join Date
    Sep 2010
    Location
    Chennai
    Posts
    83
    Blog Entries
    1
    Quote Originally Posted by "vinnu" View Post
    Namaste

    The study of heap behaviors is another branch of computer science. You can write a full epic on it.

    The behavior that gives us a little control over the heap dynamically is that whenever you'll allocate a huge object and then destruct it, then the smaller object will be allocated at its place. This behavior is used in exploiting certain heap based bugs.

    We use this technique in heap spray to control the spray area..."vinnu"
    thankz.. never knew it!! I just noticed it while playing around with the program!!

  7. #7
    My pleasure
    Little more on heap:

    The windows heap is granular and like sized objects are allocated close it each other. This information also helps in exploitation.

    The first of all, the heap is filled with the similar and a little larger sized objects than the vulnerable object's size. Then some of the recently allocated objects are freed to create the holes. These holes will accommodate the vulnerable object then.

    This gives us control over the memory land where vulnerable object will be places..."vinnu"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •