From: guenther <guenther@openbsd.org>
Date: Tue, 2 Jan 2018 06:07:21 +0000 (+0000)
Subject: Fix an off-by-one in the free(9) "passed size was too small" check:
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=29e477084e4cf41df33525bd7f1c7464ee47f717;p=openbsd

Fix an off-by-one in the free(9) "passed size was too small" check:
if the size passed is exactly half the size of the bucket that the
allocation was actually from, then it was incorrect.

problem noted by florian@
ok florian@ visa@
---

diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c
index b448115593f..1df4acfdcc0 100644
--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_malloc.c,v 1.131 2017/11/14 06:46:43 dlg Exp $	*/
+/*	$OpenBSD: kern_malloc.c,v 1.132 2018/01/02 06:07:21 guenther Exp $	*/
 /*	$NetBSD: kern_malloc.c,v 1.15.4.2 1996/06/13 17:10:56 cgd Exp $	*/
 
 /*
@@ -387,8 +387,8 @@ free(void *addr, int type, size_t freedsize)
 	if (freedsize != 0 && freedsize > size)
 		panic("free: size too large %zu > %ld (%p) type %s",
 		    freedsize, size, addr, memname[type]);
-	if (freedsize != 0 && size > MINALLOCSIZE && freedsize < size / 2)
-		panic("free: size too small %zu < %ld / 2 (%p) type %s",
+	if (freedsize != 0 && size > MINALLOCSIZE && freedsize <= size / 2)
+		panic("free: size too small %zu <= %ld / 2 (%p) type %s",
 		    freedsize, size, addr, memname[type]);
 	/*
 	 * Check for returns of data that do not point to the