Why is malloc called on two different pointers the same address space?

StackOverflow https://stackoverflow.com/questions/23330677

Question

The code below comes from a homework assignment discussing heap-overflow exploitations, which I understand as a concept. What I don't understand is what is going on exactly with malloc and the pointers in this code example. Obviously both pointers are pointing to the same space in the heap, but why is this? Wouldn't malloc reserve the space for buf1 and then reserve another space for buf2?

int main(int argc, const char * argv[])
{

    int diff, size = 8;
    char *buf1, *buf2;
    buf1 = (char * )malloc(size);
    buf2 = (char *)malloc(size);
    diff = buf2-buf1;
    memset(buf2, '2', size);
    printf("BEFORE: buf2 = %s",buf2);
    memset(buf1, '1', diff +3);
    printf("AFTER: buf2 = %s", buf2);
    return 0;
}

This code produces the output

BEFORE: buf2 = 22222222AFTER: buf2 = 11122222

Many thanks. :)

Was it helpful?

Solution

Explanation of the result

buf1 and buf2 are not pointing to the same space.

Your result can be explained as follows.

By luck the allocations gives the following memory layout:

buf1      buf2 
|--------|--------|

The first memset gives

buf1      buf2 
|--------|22222222|

as in it sets from the start of buf2 to the end to 2.

The second memset gives:

buf1      buf2 
|11111111|11122222|

That is it sets from the start of buf1 to 3 past it's end.

Undefined behaviour

This does not seg fault as you are changing memory that is allocated to your program.

However passing buf2 to printf in that way is invoking undefined behavior.

The reason is that printf involked as:

printf("BEFORE: buf2 = %s",buf2);

does not have a way to know the size of buf2 so it continues until it sees the null value \0 character which your code does not add. It seems by luck you got the value immediately after buf2 happens the be the null value.

You could either add the \0 character to the end of buf2.

Or maybe more fitting in this case you could usethe precision format specifier (that's a . folowed by an int value) to let printf know how many characters to print. That would be done as so:

printf("BEFORE: buf2 = %.8s",buf2);
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top