Incorrect checksum for freed object on malloc

Question

I get an

malloc: *** error for object 0x1001012f8: incorrect checksum for freed object
        - object was probably modified after being freed.
        *** set a breakpoint in malloc_error_break to debug

error in the following function:

char* substr(const char* source, const char* start, const char* end) {
    char *path_start, *path_end, *path;

    int path_len, needle_len = strlen(start);

    path_start = strcasestr(source, start);
    if (path_start != NULL) {
        path_start += needle_len;
        path_end = strcasestr(path_start, end);
        path_len = path_end - path_start;
        path = malloc(path_len + 1);
        strncpy(path, path_start, path_len);
        path[path_len] = '\0';
    } else {
        path = NULL;
    }

    return path;
}

How can I make this work? When I rewrite the function to allocate the memory using path[path_len + 1] it works just fine.

Now, the part I don't understand is, that I never even call free in any point of my application, as every allocated memory is needed for the program until it exists (which, AFAIK will invalidate every allocated memory anyway?!)

So, how can a freed object be corrupt if I never free one?

The function is called in this one:

char *read_response(int sock) {
    int bytes_read;
    char *buf = (char*)malloc(BUF_SIZE);
    char *cur_position = buf;

    while ((bytes_read = read(sock, cur_position, BUF_SIZE)) > 0) {
        cur_position += bytes_read;
        buf = realloc(buf, sizeof(buf) + BUF_SIZE);
    }

    int status = atoi(substr(buf, "HTTP/1.0 ", " "));

There is the realloc, am I using that wrong? I want to read the complete server response, so I have to reallocate after every iteration, don't I?

Answer 1

In read_response, you are probably overwriting the end of the buffer pointed to by buf.

The problem is that buf is a pointer, so sizeof(buf) will return the size of a pointer (probably 4 or 8 depending on your CPU). You are using sizeof as if buf were an array, which is not really the same thing as a pointer in C although they seem interchangeable in some contexts.

Instead of using sizeof, you need to be keeping track of the last size that you allocated for buf, and add BUF_SIZE to that each time you enlarge the buffer.

You should also consider that the read operation may be returning considerably fewer characters than BUF_SIZE on each call, so doing a realloc on buf in each iteration may be overkill. That probably won't cause any problems for you in terms of correctness, though; it will just use more memory than it needs to.

I would do something more like the code below.

#define MIN_BUF_SPACE_THRESHOLD (BUF_SIZE / 2)

char *read_response(int sock) {
    int bytes_read;
    char *buf = (char*)malloc(BUF_SIZE);
    int cur_position = 0;
    int space_left = BUF_SIZE;

    if (buf == NULL) {
        exit(1); /* or try to cope with out-of-memory situation */
    }

    while ((bytes_read = read(sock, buf + cur_position, space_left)) > 0) {
        cur_position += bytes_read;
        space_left -= bytes_read;
        if (space_left < MIN_BUF_SPACE_THRESHOLD) {
            buf = realloc(buf, cur_position + space_left + BUF_SIZE);
            if (buf == NULL) {
                exit(1); /* or try to cope with out-of-memory situation */
            }
            space_left += BUF_SIZE;
        }
    }

This version has the advantage of not trying to allocate more space if the read call comes back with only a few bytes of data.

Answer 2

This line

buf = realloc(buf, sizeof(buf) + BUF_SIZE);

is wrong. All reallocations are with the same size, BUF_SIZE + sizeof(char*). Then you are writing to unallocated memory when reading from the socket, overwriting memory previously freed by a realloc.

You have to keep track of the allocated size,

size_t current_buf_size = BUF_SIZE;
/* ... */
    char *temp = realloc(buf, current_buf_size + BUF_SIZE);
    if (temp == NULL) {
        /* die or repair */
    }
    buf = temp;