diff options
author | Philip Guenther <guenther@cvs.openbsd.org> | 2018-01-02 06:07:22 +0000 |
---|---|---|
committer | Philip Guenther <guenther@cvs.openbsd.org> | 2018-01-02 06:07:22 +0000 |
commit | a2104963fbd9fdcae1c039cff75f922f316d0137 (patch) | |
tree | 3830ccd6232658d6173dce4b058b30571933f811 /sys/kern/kern_malloc.c | |
parent | 17d387e35d0e83a6a88291640984c4f33900b42d (diff) |
Fix an off-by-one in the free(9) "passed size was too small" check:
if the size passed is exactly half the size of the bucket that the
allocation was actually from, then it was incorrect.
problem noted by florian@
ok florian@ visa@
Diffstat (limited to 'sys/kern/kern_malloc.c')
-rw-r--r-- | sys/kern/kern_malloc.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c index b448115593f..1df4acfdcc0 100644 --- a/sys/kern/kern_malloc.c +++ b/sys/kern/kern_malloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_malloc.c,v 1.131 2017/11/14 06:46:43 dlg Exp $ */ +/* $OpenBSD: kern_malloc.c,v 1.132 2018/01/02 06:07:21 guenther Exp $ */ /* $NetBSD: kern_malloc.c,v 1.15.4.2 1996/06/13 17:10:56 cgd Exp $ */ /* @@ -387,8 +387,8 @@ free(void *addr, int type, size_t freedsize) if (freedsize != 0 && freedsize > size) panic("free: size too large %zu > %ld (%p) type %s", freedsize, size, addr, memname[type]); - if (freedsize != 0 && size > MINALLOCSIZE && freedsize < size / 2) - panic("free: size too small %zu < %ld / 2 (%p) type %s", + if (freedsize != 0 && size > MINALLOCSIZE && freedsize <= size / 2) + panic("free: size too small %zu <= %ld / 2 (%p) type %s", freedsize, size, addr, memname[type]); /* * Check for returns of data that do not point to the |