For small allocations (chunk) freezero only validates the given

size if canaries are enabled. In that case we have the exact requested
size of the allocation.  But we can at least check the given size
against the chunk size if C is not enabled. Plus add some braces
so my brain doesn't have to scan for dangling else problems when I
see this code.

1 files changed, 10 insertions, 5 deletions

diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c
index 4e5176f71ee..dc395c4736c 100644
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: malloc.c,v 1.223 2017/04/18 15:46:44 otto Exp $	*/
+/*	$OpenBSD: malloc.c,v 1.224 2017/04/22 09:12:49 otto Exp $	*/
 /*
  * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
  * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -1334,7 +1334,7 @@ ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz)
 	REALSIZE(sz, r);
 	if (check) {
 		if (sz <= MALLOC_MAXCHUNK) {
-			if (mopts.chunk_canaries) {
+			if (mopts.chunk_canaries && sz > 0) {
 				struct chunk_info *info =
 				    (struct chunk_info *)r->size;
 				uint32_t chunknum =
@@ -1342,14 +1342,19 @@ ofree(struct dir_info *argpool, void *p, int clear, int check, size_t argsz)
 
 				if (info->bits[info->offset + chunknum] <
 				    argsz)
-					wrterror(pool, "recorded old size %hu"
+					wrterror(pool, "recorded size %hu"
 					    " < %zu",
 					    info->bits[info->offset + chunknum],
 					    argsz);
+			} else {
+				if (sz < argsz)
+					wrterror(pool, "chunk size %zu < %zu",
+					    sz, argsz);
 			}
-		} else if (sz - mopts.malloc_guard < argsz)
-			wrterror(pool, "recorded old size %zu < %zu",
+		} else if (sz - mopts.malloc_guard < argsz) {
+			wrterror(pool, "recorded size %zu < %zu",
 			    sz - mopts.malloc_guard, argsz);
+		}
 	}
 	if (sz > MALLOC_MAXCHUNK) {
 		if (!MALLOC_MOVE_COND(sz)) {