DistriNet malloc (dnmalloc): a more secure memory allocator. 
Copyright (C) 2005, Yves Younan, Wouter Joosen and Frank Piessens and Rainer Wichmann.

Dnmalloc is an allocator that keeps heap management data separate from
the heap itself. As a result, dnmalloc is NOT vulnerable to heap corruption
by heap buffer overflows or double free errors. 


Installation:
-------------

On Linux:
sh$ make
sh$ make test
sh$ sudo make install


Usage:
------

For single-threaded programs, no recompiling is required, 
you can run them with:
sh$ LD_PRELOAD=/usr/local/lib/libdnmalloc.so  some_application

Threaded programs may deadlock under some circumstances unless
they are recompiled to call dnmalloc_pthread_init() at startup.


Functions provided:
-------------------

Dnmalloc implements malloc, calloc, realloc, free, posix_memalign,
as well as the non-standard functions memalign, valloc, and pvalloc.


Portability:
------------

Tested in multi-threaded mode on Linux (32/64 bit), FreeBSD, Solaris i386, 
and HP-UX 11i. Multithreaded mode doesn't work with OpenBSD (seems to be 
a problem with the OpenBSD pthread implementation).


Speed:
------

On Linux, dnmalloc typically is as fast as, or faster than, the 
GNU libc allocator.


Memory:
-------

a)   The memory usage of dnmalloc, as indicated e.g. by 'top', does not
     reflect actual resource usage (see point (c)).

b)   Dnmalloc requires somewhat more memory (10-20 per cent) than the GNU
     libc allocator.

c)   On top of that, dnmalloc uses a large, but sparsely populated table 
     that is allocated (mmapped) at startup. This looks horrible in 'top', 
     but actually is a non-issue.

     Because of deferred allocation, memory is only reserved (i.e. backed 
     by physical resources like RAM or swap) for the used parts of this 
     table, which are small. I.e. almost all of the 128MB (256MB on 64 bit OS)
     allocated for this table is not actual resource usage, and remains 
     available for other applications.


Error detection:
----------------

By default, double frees are only detected for allocations that
exceed the maximum request size for "fastbins" (64 bytes be default).
If you want to detect all double frees, use 'mallopt(1, 0)'
to switch off fastbins. Double free detection by default results 
in program abort.

Buffer overflows  will not corrupt internal structures of dnmalloc,
but will only be  detected when the buffer is free'd (and then by
default result in  program abort). As a result, data stored on the
heap may still get corrupted, but unless these data comprise function
pointers, this cannot be exploited to execute arbitrary commands.

If you want to override the default action on error detection, you
can do so with:

/* Typedef for assert handler. Must not call malloc.
 * 'error' is the failed assertion, 'file' and 'line' the location.
 */ 
typedef void assert_handler_tp(const char *error, const char *file, int line);

/* Takes the new handler as argument, and returns the old handler 
 */
extern assert_handler_tp *dnmalloc_set_handler(assert_handler_tp *assert_handler);

/* example 
 */
assert_handler_tp * old_handler;
void new_handler(const char *error, const char *file, int line)
{
	...
}
old_handler = dnmalloc_set_handler(new_handler);

