PDA

View Full Version : Interesting thing about heap allocation in C



sebas_phoenix
03-22-2011, 12:02 AM
This is the code...

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
main(int argc,char **argv)
{
int *ptr1,*ptr2,*ptr3;
int size1,size2,size3;
size1=atoi(argv[1]);
size2=atoi(argv[2]);
size3=atoi(argv[3]);
ptr1=(int *)malloc(size1);
ptr2=(int *)malloc(size2);
ptr3=(int *)malloc(size3);
*ptr1=*ptr2=10;
printf("[ptr1] @ %p contains %d\n",ptr1,*ptr1);
printf("[ptr2] @ %p contains %d\n",ptr2,*ptr2);

//free(ptr2);
free(ptr1);
printf("Freed ptr1 \n");
ptr3=(int *)malloc(size3);
*ptr3=20;
printf("[ptr3] @ %p contains %d\n",ptr3,*ptr3);

}


After i run it like this...

$ ./heap_test 40 100 100
[ptr1] @ 0x93b8008 contains 10
[ptr2] @ 0x93b8038 contains 10
Freed ptr1
[ptr3] @ 0x93b8108 contains 20

After freeing ptr1, the ptr3 starts at a higher memory location than ptr2 (heap grows upward in memory from lower address to higher address)

After running it like this

$ ./heap_test 50 100 10
[ptr1] @ 0x8cf5008 contains 10
[ptr2] @ 0x8cf5040 contains 10
Freed ptr1
[ptr3] @ 0x8cf50b8 contains 20

After freeing ptr1, the ptr3 starts at a higher memory location than ptr2 eventhough it could have started at the location where ptr1 pointed to at first before being deallocated

After bruteforcing for some time...Now if i run the code like this...

$ ./heap_test 69 100 10
[ptr1] @ 0x9b5a008 contains 10
[ptr2] @ 0x9b5a058 contains 10
Freed ptr1
[ptr3] @ 0x9b5a008 contains 20
After freeing ptr1, the ptr3 starts at a higher memory location tat is the same as that pointed to by ptr1 before getting deallocated...

Hope u can sum up the heap allocation.. also 69 is the lowest value ie after 69 if the ptr3 allocation size is less than the deallocated size of ptr1, then it gets allocated at the location pointed to by ptr1 (before getting deallocated)...Dunno its significance , thought of sharing nevertheless... :)

41.w4r10r
03-22-2011, 01:50 AM
It will be great if you will elaborate it in simple language....
actually,
To Be Frank I got only 20% of your post

sebas_phoenix
03-22-2011, 02:27 AM
It will be great if you will elaborate it in simple language....
actually,
To Be Frank I got only 20% of your post

sry abt tat... Anyways, we are allocating 3 ptrs on the heap section namely ptr1,ptr2,ptr3. And then we are deallocating ptr1 and then again reallocating ptr3 after freeing ptr1. So after freeing ptr1, we have a free space between the start of the heap and the start of address pointed to by ptr2. But only if the size of allocation for ptr1 >=69 and the size of allocation of ptr3 < the size of allocation for ptr1, then the newly allocated ptr3 is stored at the freed space of ptr1, else it is stored after ptr2. Hope this helps...

41.w4r10r
03-22-2011, 10:08 AM
sry abt tat... Anyways, we are allocating 3 ptrs on the heap section namely ptr1,ptr2,ptr3. And then we are deallocating ptr1 and then again reallocating ptr3 after freeing ptr1. So after freeing ptr1, we have a free space between the start of the heap and the start of address pointed to by ptr2. But only if the size of allocation for ptr1 >=69 and the size of allocation of ptr3 < the size of allocation for ptr1, then the newly allocated ptr3 is stored at the freed space of ptr1, else it is stored after ptr2. Hope this helps...

Thanks,
Got your point 100% now...

"vinnu"
03-24-2011, 11:20 AM
Namaste

The study of heap behaviors is another branch of computer science. You can write a full epic on it.

The behavior that gives us a little control over the heap dynamically is that whenever you'll allocate a huge object and then destruct it, then the smaller object will be allocated at its place. This behavior is used in exploiting certain heap based bugs.

We use this technique in heap spray to control the spray area..."vinnu"

sebas_phoenix
03-24-2011, 11:26 AM
Namaste

The study of heap behaviors is another branch of computer science. You can write a full epic on it.

The behavior that gives us a little control over the heap dynamically is that whenever you'll allocate a huge object and then destruct it, then the smaller object will be allocated at its place. This behavior is used in exploiting certain heap based bugs.

We use this technique in heap spray to control the spray area..."vinnu"

thankz.. never knew it!! I just noticed it while playing around with the program!!

"vinnu"
09-01-2011, 10:00 AM
My pleasure
Little more on heap:

The windows heap is granular and like sized objects are allocated close it each other. This information also helps in exploitation.

The first of all, the heap is filled with the similar and a little larger sized objects than the vulnerable object's size. Then some of the recently allocated objects are freed to create the holes. These holes will accommodate the vulnerable object then.

This gives us control over the memory land where vulnerable object will be places..."vinnu"