If size is greater than (UINT32_MAX - SIZEOF_MM_ALLOCNODE), malloc size can be... (196911d4) · Commits · f4grx / NuttX RTOS

Commit 196911d4 authored Oct 17, 2017 by EunBong Song Committed by Gregory Nutt Oct 17, 2017

If size is greater than (UINT32_MAX - SIZEOF_MM_ALLOCNODE), malloc size can be...

If size is greater than (UINT32_MAX - SIZEOF_MM_ALLOCNODE), malloc size can be overflow by MM_ALIGN_UP macro.  For example, if task_create() called with stack_size == -1, up_create_stack() functions allocates SIZEOF_MM_ALLOCNODE bytes for stack.
This can cause data abort in up_stack_color() function.

parent 5d6ecfa3

Hide whitespace changes

Inline Side-by-side

Please register or to comment

Admin message

If size is greater than (UINT32_MAX - SIZEOF_MM_ALLOCNODE), malloc size can be...