> For the complete documentation index, see [llms.txt](https://angelica.gitbook.io/hacktricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angelica.gitbook.io/hacktricks/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md).
# Heap Functions Security Checks
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## unlink
For more info check:
{% content-ref url="/pages/AZRFxBm71qUg1LN6IkO6" %}
[unlink](/hacktricks/binary-exploitation/libc-heap/heap-memory-functions/unlink.md)
{% endcontent-ref %}
This is a summary of the performed checks:
* Check if the indicated size of the chunk is the same as the `prev_size` indicated in the next chunk
* Error message: `corrupted size vs. prev_size`
* Check also that `P->fd->bk == P` and `P->bk->fw == P`
* Error message: `corrupted double-linked list`
* If the chunk is not small, check that `P->fd_nextsize->bk_nextsize == P` and `P->bk_nextsize->fd_nextsize == P`
* Error message: `corrupted double-linked list (not small)`
## \_int\_malloc
For more info check:
{% content-ref url="/pages/EbhCRqCBpWpfkoPOd0Hw" %}
[malloc & sysmalloc](/hacktricks/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md)
{% endcontent-ref %}
* **Checks during fast bin search:**
* If the chunk is misaligned:
* Error message: `malloc(): unaligned fastbin chunk detected 2`
* If the forward chunk is misaligned:
* Error message: `malloc(): unaligned fastbin chunk detected`
* If the returned chunk has a size that isn't correct because of it's index in the fast bin:
* Error message: `malloc(): memory corruption (fast)`
* If any chunk used to fill the tcache is misaligned:
* Error message: `malloc(): unaligned fastbin chunk detected 3`
* **Checks during small bin search:**
* If `victim->bk->fd != victim`:
* Error message: `malloc(): smallbin double linked list corrupted`
* **Checks during consolidate** performed for each fast bin chunk:
* If the chunk is unaligned trigger:
* Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
* If the chunk has a different size that the one it should because of the index it's in:
* Error message: `malloc_consolidate(): invalid chunk size`
* If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev\_chunk:
* Error message: `corrupted size vs. prev_size in fastbins`
* **Checks during unsorted bin search**:
* If the chunk size is weird (too small or too big):
* Error message: `malloc(): invalid size (unsorted)`
* If the next chunk size is weird (too small or too big):
* Error message: `malloc(): invalid next size (unsorted)`
* If the previous size indicated by the next chunk differs from the size of the chunk:
* Error message: `malloc(): mismatching next->prev_size (unsorted)`
* If not `victim->bck->fd == victim` or not `victim->fd == av (arena)`:
* Error message: `malloc(): unsorted double linked list corrupted`
* As we are always checking the las one, it's fd should be pointing always to the arena struct.
* If the next chunk isn't indicating that the previous is in use:
* Error message: `malloc(): invalid next->prev_inuse (unsorted)`
* If `fwd->bk_nextsize->fd_nextsize != fwd`:
* Error message: `malloc(): largebin double linked list corrupted (nextsize)`
* If `fwd->bk->fd != fwd`:
* Error message: `malloc(): largebin double linked list corrupted (bk)`
* **Checks during large bin (by index) search:**
* `bck->fd-> bk != bck`:
* Error message: `malloc(): corrupted unsorted chunks`
* **Checks during large bin (next bigger) search:**
* `bck->fd-> bk != bck`:
* Error message: `malloc(): corrupted unsorted chunks2`
* **Checks during Top chunk use:**
* `chunksize(av->top) > av->system_mem`:
* Error message: `malloc(): corrupted top size`
## `tcache_get_n`
* **Checks in `tcache_get_n`:**
* If chunk is misaligned:
* Error message: `malloc(): unaligned tcache chunk detected`
## `tcache_thread_shutdown`
* **Checks in `tcache_thread_shutdown`:**
* If chunk is misaligned:
* Error message: `tcache_thread_shutdown(): unaligned tcache chunk detected`
## `__libc_realloc`
* **Checks in `__libc_realloc`:**
* If old pointer is misaligned or the size was incorrect:
* Error message: `realloc(): invalid pointer`
## `_int_free`
For more info check:
{% content-ref url="/pages/TbHmePMlk8B6niavLG9E" %}
[free](/hacktricks/binary-exploitation/libc-heap/heap-memory-functions/free.md)
{% endcontent-ref %}
* **Checks during the start of `_int_free`:**
* Pointer is aligned:
* Error message: `free(): invalid pointer`
* Size larger than `MINSIZE` and size also aligned:
* Error message: `free(): invalid size`
* **Checks in `_int_free` tcache:**
* If there are more entries than `mp_.tcache_count`:
* Error message: `free(): too many chunks detected in tcache`
* If the entry is not aligned:
* Error message: `free(): unaligned chunk detected in tcache 2`
* If the freed chunk was already freed and is present as chunk in the tcache:
* Error message: `free(): double free detected in tcache 2`
* **Checks in `_int_free` fast bin:**
* If the size of the chunk is invalid (too big or small) trigger:
* Error message: `free(): invalid next size (fast)`
* If the added chunk was already the top of the fast bin:
* Error message: `double free or corruption (fasttop)`
* If the size of the chunk at the top has a different size of the chunk we are adding:
* Error message: `invalid fastbin entry (free)`
## **`_int_free_merge_chunk`**
* **Checks in `_int_free_merge_chunk`:**
* If the chunk is the top chunk:
* Error message: `double free or corruption (top)`
* If the next chunk is outside of the boundaries of the arena:
* Error message: `double free or corruption (out)`
* If the chunk is not marked as used (in the prev\_inuse from the following chunk):
* Error message: `double free or corruption (!prev)`
* If the next chunk has a too little size or too big:
* Error message: `free(): invalid next size (normal)`
* If the previous chunk is not in use, it will try to consolidate. But, if the `prev_size` differs from the size indicated in the previous chunk:
* Error message: `corrupted size vs. prev_size while consolidating`
## **`_int_free_create_chunk`**
* **Checks in `_int_free_create_chunk`:**
* Adding a chunk into the unsorted bin, check if `unsorted_chunks(av)->fd->bk == unsorted_chunks(av)`:
* Error message: `free(): corrupted unsorted chunks`
## `do_check_malloc_state`
* **Checks in `do_check_malloc_state`:**
* If misaligned fast bin chunk:
* Error message: `do_check_malloc_state(): unaligned fastbin chunk detected`
## `malloc_consolidate`
* **Checks in `malloc_consolidate`:**
* If misaligned fast bin chunk:
* Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
* If incorrect fast bin chunk size:
* Error message: `malloc_consolidate(): invalid chunk size`
## `_int_realloc`
* **Checks in `_int_realloc`:**
* Size is too big or too small:
* Error message: `realloc(): invalid old size`
* Size of the next chunk is too big or too small:
* Error message: `realloc(): invalid next size`
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://angelica.gitbook.io/hacktricks/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.