unlink()
•When merging two adjacent free chunks, the already free chunk has to
be unlinked from its current bin via
unlink()
•A heap overflow allows you to overwrite the next chunk, so the trick is to
get unlink() to wrongfully forward coalescing
memory
•The unlink() attack is to poison the pointers and insert a fake chunk, then
call free(), overwriting a memory location of our
choosing