zero leading byte of canaries

README.md

@@ -84,6 +84,7 @@ allocation and then unmapped on free.
 * Random canaries placed after each slab allocation to *absorb*
   and then later detect overflows/underflows
     * High entropy per-slab random values
+    * Leading byte is zeroed to contain C string overflows
     * [in-progress] Mangled into a unique value per slab slot (although not
       with a strong keyed hash due to performance limitations)
 * Possible slab locations are skipped and remain memory protected, leaving slab

malloc.c

@@ -274,6 +274,12 @@ static void write_after_free_check(char *p, size_t size) {
     }
 }
 
+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+static const uint64_t canary_mask = 0xffffffffffffff00UL;
+#else
+static const uint64_t canary_mask = 0x00ffffffffffffffUL;
+#endif
+
 static void set_canary(struct slab_metadata *metadata, void *p, size_t size) {
     memcpy((char *)p + size - canary_size, &metadata->canary_value, canary_size);
 }
@@ -345,7 +351,7 @@ static inline void *allocate_small(size_t requested_size) {
             mutex_unlock(&c->lock);
             return NULL;
         }
-        metadata->canary_value = get_random_u64(&c->rng);
+        metadata->canary_value = get_random_u64(&c->rng) & canary_mask;
 
         c->partial_slabs = metadata;
         void *slab = get_slab(c, slab_size, metadata);