xnu-792.25.20.tar.gz

[apple/xnu.git] / osfmk / ipc / ipc_kmsg.c

diff --git a/osfmk/ipc/ipc_kmsg.c b/osfmk/ipc/ipc_kmsg.c
index 5fde4553411e484fe979b396e287def7d5232059..9f524e034a18d56a7ea84f06c7a3dcf9232cb1a4 100644 (file)
--- a/osfmk/ipc/ipc_kmsg.c
+++ b/osfmk/ipc/ipc_kmsg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2000-2005 Apple Computer, Inc. All rights reserved.
  *
  * @APPLE_LICENSE_HEADER_START@
  * 
@@ -200,8 +200,6 @@ ipc_kmsg_alloc(
        ipc_kmsg_t kmsg;
 
 #if !defined(__LP64__)
-       mach_msg_size_t size = msg_and_trailer_size - MAX_TRAILER_SIZE;
-
        /*
         * LP64support -
         * Pad the allocation in case we need to expand the
@@ -215,20 +213,23 @@ ipc_kmsg_alloc(
         * forward as we process them than it is to push all the
         * data backwards.
         */
-       max_expanded_size = 
-               (size > sizeof(mach_msg_base_t)) ?
-               (msg_and_trailer_size + DESC_SIZE_ADJUSTMENT * 
-                ((size - sizeof(mach_msg_base_t)) /
-                 (sizeof(mach_msg_ool_descriptor_t))))
-               :
-               (msg_and_trailer_size);
-#else
-       max_expanded_size = msg_and_trailer_size;
+
+       mach_msg_size_t size = msg_and_trailer_size - MAX_TRAILER_SIZE;
+       if (size > sizeof(mach_msg_base_t)) {
+               mach_msg_size_t max_desc = ((size - sizeof(mach_msg_base_t)) /
+                                          sizeof(mach_msg_ool_descriptor_t)) *
+                                          DESC_SIZE_ADJUSTMENT;
+               if (msg_and_trailer_size >= MACH_MSG_SIZE_MAX - max_desc)
+                       return IKM_NULL;
+               max_expanded_size = msg_and_trailer_size + max_desc;
+       } else
 #endif
+               max_expanded_size = msg_and_trailer_size;
 
-       /* round up for ikm_cache */
-       if (max_expanded_size < IKM_SAVED_MSG_SIZE)
-               max_expanded_size = IKM_SAVED_MSG_SIZE;
+       if (max_expanded_size > ikm_less_overhead(MACH_MSG_SIZE_MAX))
+               return IKM_NULL;
+       else if (max_expanded_size < IKM_SAVED_MSG_SIZE)
+               max_expanded_size = IKM_SAVED_MSG_SIZE;         /* round up for ikm_cache */
 
        if (max_expanded_size == IKM_SAVED_MSG_SIZE) {
                struct ikm_cache        *cache;
@@ -712,6 +713,9 @@ ipc_kmsg_get(
        if ((size < sizeof(mach_msg_header_t)) || (size & 3))
                return MACH_SEND_MSG_TOO_SMALL;
 
+       if (size > MACH_MSG_SIZE_MAX - MAX_TRAILER_SIZE)
+               return MACH_SEND_TOO_LARGE;
+
        msg_and_trailer_size = size + MAX_TRAILER_SIZE;
 
        kmsg = ipc_kmsg_alloc(msg_and_trailer_size);
@@ -775,7 +779,7 @@ ipc_kmsg_get_from_kernel(
        ipc_port_t      dest_port;
 
        assert(size >= sizeof(mach_msg_header_t));
-       assert((size & 3) == 0);
+//     assert((size & 3) == 0);
 
        assert(IP_VALID((ipc_port_t) msg->msgh_remote_port));
        dest_port = (ipc_port_t)msg->msgh_remote_port;