X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/1c79356b52d46aa6b508fb032f5ae709b1f2897b..13fec9890cf095cc781fdf7b8917cb03bf32dd4c:/iokit/Kernel/IODataQueue.cpp

diff --git a/iokit/Kernel/IODataQueue.cpp b/iokit/Kernel/IODataQueue.cpp
index b98060e75..c0ea4b9e6 100644
--- a/iokit/Kernel/IODataQueue.cpp
+++ b/iokit/Kernel/IODataQueue.cpp
@@ -71,7 +71,7 @@ Boolean IODataQueue::initWithCapacity(UInt32 size)
         return false;
     }
 
-    dataQueue = (IODataQueueMemory *)IOMallocAligned(round_page(size + DATA_QUEUE_MEMORY_HEADER_SIZE), PAGE_SIZE);
+    dataQueue = (IODataQueueMemory *)IOMallocAligned(round_page_32(size + DATA_QUEUE_MEMORY_HEADER_SIZE), PAGE_SIZE);
     if (dataQueue == 0) {
         return false;
     }
@@ -91,7 +91,7 @@ Boolean IODataQueue::initWithEntries(UInt32 numEntries, UInt32 entrySize)
 void IODataQueue::free()
 {
     if (dataQueue) {
-        IOFreeAligned(dataQueue, round_page(dataQueue->queueSize + DATA_QUEUE_MEMORY_HEADER_SIZE));
+        IOFreeAligned(dataQueue, round_page_32(dataQueue->queueSize + DATA_QUEUE_MEMORY_HEADER_SIZE));
     }
 
     super::free();
@@ -105,24 +105,39 @@ Boolean IODataQueue::enqueue(void * data, UInt32 dataSize)
     const UInt32       tail      = dataQueue->tail;
     const UInt32       entrySize = dataSize + DATA_QUEUE_ENTRY_HEADER_SIZE;
     IODataQueueEntry * entry;
-    
+
     if ( tail >= head )
     {
-        if ( (tail + entrySize) < dataQueue->queueSize )
+        // Is there enough room at the end for the entry?
+        if ( (tail + entrySize) <= dataQueue->queueSize )
         {
             entry = (IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail);
 
             entry->size = dataSize;
             memcpy(&entry->data, data, dataSize);
+
+            // The tail can be out of bound when the size of the new entry
+            // exactly matches the available space at the end of the queue.
+            // The tail can range from 0 to dataQueue->queueSize inclusive.
+
             dataQueue->tail += entrySize;
         }
-        else if ( head > entrySize )
+        else if ( head > entrySize ) 	// Is there enough room at the beginning?
         {
             // Wrap around to the beginning, but do not allow the tail to catch
             // up to the head.
 
             dataQueue->queue->size = dataSize;
-            ((IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail))->size = dataSize;
+
+            // We need to make sure that there is enough room to set the size before
+            // doing this. The user client checks for this and will look for the size
+            // at the beginning if there isn't room for it at the end.
+
+            if ( ( dataQueue->queueSize - tail ) >= DATA_QUEUE_ENTRY_HEADER_SIZE )
+            {
+                ((IODataQueueEntry *)((UInt8 *)dataQueue->queue + tail))->size = dataSize;
+            }
+
             memcpy(&dataQueue->queue->data, data, dataSize);
             dataQueue->tail = entrySize;
         }