summaryrefslogtreecommitdiff
path: root/sys/kern/kern_malloc.c
diff options
context:
space:
mode:
authorPhilip Guenther <guenther@cvs.openbsd.org>2018-01-02 06:07:22 +0000
committerPhilip Guenther <guenther@cvs.openbsd.org>2018-01-02 06:07:22 +0000
commita2104963fbd9fdcae1c039cff75f922f316d0137 (patch)
tree3830ccd6232658d6173dce4b058b30571933f811 /sys/kern/kern_malloc.c
parent17d387e35d0e83a6a88291640984c4f33900b42d (diff)
Fix an off-by-one in the free(9) "passed size was too small" check:
if the size passed is exactly half the size of the bucket that the allocation was actually from, then it was incorrect. problem noted by florian@ ok florian@ visa@
Diffstat (limited to 'sys/kern/kern_malloc.c')
-rw-r--r--sys/kern/kern_malloc.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c
index b448115593f..1df4acfdcc0 100644
--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_malloc.c,v 1.131 2017/11/14 06:46:43 dlg Exp $ */
+/* $OpenBSD: kern_malloc.c,v 1.132 2018/01/02 06:07:21 guenther Exp $ */
/* $NetBSD: kern_malloc.c,v 1.15.4.2 1996/06/13 17:10:56 cgd Exp $ */
/*
@@ -387,8 +387,8 @@ free(void *addr, int type, size_t freedsize)
if (freedsize != 0 && freedsize > size)
panic("free: size too large %zu > %ld (%p) type %s",
freedsize, size, addr, memname[type]);
- if (freedsize != 0 && size > MINALLOCSIZE && freedsize < size / 2)
- panic("free: size too small %zu < %ld / 2 (%p) type %s",
+ if (freedsize != 0 && size > MINALLOCSIZE && freedsize <= size / 2)
+ panic("free: size too small %zu <= %ld / 2 (%p) type %s",
freedsize, size, addr, memname[type]);
/*
* Check for returns of data that do not point to the