# Chunk allocation and reallocation Bins exist to reuse chunks. Here there is a quick example at how it's done. ## Fastbins Fastbins are probably the easiest to explain as they are grouped by size. The last chunk to be placed in the bin is the first chunk reallocated. A simple C program can highlight this behavior : ```c #include #include int main() { char *a = malloc(20); char *b = malloc(20); char *c = malloc(20); printf("a: %p\nb: %p\nc: %p\n", a, b, c); puts("Freeing..."); free(a); free(b); free(c); puts("Re-allocating..."); char *d = malloc(20); char *e = malloc(20); char *f = malloc(20); printf("d: %p\ne: %p\nf: %p\n", d, e, f); } ``` ``` a: 0x55c9fe6de2a0 b: 0x55c9fe6de2c0 c: 0x55c9fe6de2e0 Freeing... Re-allocating... d: 0x55c9fe6de2e0 e: 0x55c9fe6de2c0 f: 0x55c9fe6de2a0 ``` This specific fastbin progresses as follows: {% @mermaid/diagram content="%%{init: { "flowchart": { "htmlLabels": true, "curve": "linear" } } }%% graph TD free2("free(a)") --> 2a subgraph one 2(HEAD) 2 --> 2a(a) end free3("free(b)") --> 3b subgraph two 3(HEAD) 3 --> 3a(a) 3a --> 3b(b) end free4("free(c)") --> 4c subgraph three 4(HEAD) 4 --> 4a(a) 4a --> 4b(b) 4b --> 4c(c) end " %} And then when data are reallocated : {% @mermaid/diagram content="%%{init: { "flowchart": { "htmlLabels": true, "curve": "linear" } } }%% graph LR subgraph init inith(HEAD) inith --> inita(a) inita --> initb(b) initb --> initc(c) end init -- "malloc() d" --> one subgraph one 2(HEAD) 2 --> 2a(a) 2a --> 2b(b) end one -- "malloc() e" --> two subgraph two 3(HEAD) 3 --> 3a(a) end two -- "malloc() f" --> three subgraph three 4(HEAD) end " %} {% hint style="info" %} the chunk `a` gets reassigned to chunk `f`, `b` to `e` and `c` to `d`. Then, if a chunk is freed, thee is a good chance that the next malloc() - if it's the same size - will use the same chunk {% endhint %} ## Unsorted Bins When **a non-fast chunk is freed**, it gets put **into the Unsorted Bin**. When new chunks are requested, glibc looks at the unsorted bin. * If the requested size **is equal** to the size of the chunk in the bin, **return the chunk** * If **it's smaller**, **split** the chunk in the bin in two and **return a portion of the correct size** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ctfrecipes.com/pwn/general-knowledge/operation-of-the-heap/chunk-allocation-and-reallocation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.