Fix an off-by-one in the free(9) "passed size was too small" check:

if the size passed is exactly half the size of the bucket that the
allocation was actually from, then it was incorrect.

problem noted by florian@
ok florian@ visa@

diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c
index b448115..1df4acf 100644 (file)
--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_malloc.c,v 1.131 2017/11/14 06:46:43 dlg Exp $   */
+/*     $OpenBSD: kern_malloc.c,v 1.132 2018/01/02 06:07:21 guenther Exp $      */
 /*     $NetBSD: kern_malloc.c,v 1.15.4.2 1996/06/13 17:10:56 cgd Exp $ */
 
 /*
@@ -387,8 +387,8 @@ free(void *addr, int type, size_t freedsize)
        if (freedsize != 0 && freedsize > size)
                panic("free: size too large %zu > %ld (%p) type %s",
                    freedsize, size, addr, memname[type]);
-       if (freedsize != 0 && size > MINALLOCSIZE && freedsize < size / 2)
-               panic("free: size too small %zu < %ld / 2 (%p) type %s",
+       if (freedsize != 0 && size > MINALLOCSIZE && freedsize <= size / 2)
+               panic("free: size too small %zu <= %ld / 2 (%p) type %s",
                    freedsize, size, addr, memname[type]);
        /*
         * Check for returns of data that do not point to the