unlink()
•When merging two
adjacent free chunks, the already free
chunk has to be unlinked from its current bin via
unlink()
•A heap overflow allows you to overwrite the next chunk, so the trick is to get unlink() to wrongfully forward coalescing memory
•The unlink() attack is
to poison the pointers and insert a fake
chunk, then call free(), overwriting a memory
location of our choosing