0ctf-2018 heapstorm2详解

0x01 预备知识

堆相关的数据结构

通过malloc得到的我们称之为chunk,每一个chunk都有一个chunk头用于管理称之为malloc_chunk,定义如下:
/*
  This struct declaration is misleading (but accurate and necessary).
  It declares a "view" into memory allowing access to necessary
  fields at known offsets from a given base. See explanation below.
*/
struct malloc_chunk {

  INTERNAL_SIZE_T      prev_size;  /* Size of previous chunk (if free).  */
  INTERNAL_SIZE_T      size;       /* Size in bytes, including overhead. */

  struct malloc_chunk* fd;         /* double links -- used only if free. */
  struct malloc_chunk* bk;

  /* Only used for large blocks: pointer to next larger size.  */
  struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
  struct malloc_chunk* bk_nextsize;
};

各个字段的解释如下:

  • prev_size 如果物理相邻(指针之差为前一个chunk的大小)的前一个chunk是free的则该字段
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页