X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/b36670cedae0009469e8ee117453de831de64a6b..0c530ab8987f0ae6a1a3d9284f40182b88852816:/osfmk/ipc/ipc_kmsg.c diff --git a/osfmk/ipc/ipc_kmsg.c b/osfmk/ipc/ipc_kmsg.c index 5fde45534..9f524e034 100644 --- a/osfmk/ipc/ipc_kmsg.c +++ b/osfmk/ipc/ipc_kmsg.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved. + * Copyright (c) 2000-2005 Apple Computer, Inc. All rights reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -200,8 +200,6 @@ ipc_kmsg_alloc( ipc_kmsg_t kmsg; #if !defined(__LP64__) - mach_msg_size_t size = msg_and_trailer_size - MAX_TRAILER_SIZE; - /* * LP64support - * Pad the allocation in case we need to expand the @@ -215,20 +213,23 @@ ipc_kmsg_alloc( * forward as we process them than it is to push all the * data backwards. */ - max_expanded_size = - (size > sizeof(mach_msg_base_t)) ? - (msg_and_trailer_size + DESC_SIZE_ADJUSTMENT * - ((size - sizeof(mach_msg_base_t)) / - (sizeof(mach_msg_ool_descriptor_t)))) - : - (msg_and_trailer_size); -#else - max_expanded_size = msg_and_trailer_size; + + mach_msg_size_t size = msg_and_trailer_size - MAX_TRAILER_SIZE; + if (size > sizeof(mach_msg_base_t)) { + mach_msg_size_t max_desc = ((size - sizeof(mach_msg_base_t)) / + sizeof(mach_msg_ool_descriptor_t)) * + DESC_SIZE_ADJUSTMENT; + if (msg_and_trailer_size >= MACH_MSG_SIZE_MAX - max_desc) + return IKM_NULL; + max_expanded_size = msg_and_trailer_size + max_desc; + } else #endif + max_expanded_size = msg_and_trailer_size; - /* round up for ikm_cache */ - if (max_expanded_size < IKM_SAVED_MSG_SIZE) - max_expanded_size = IKM_SAVED_MSG_SIZE; + if (max_expanded_size > ikm_less_overhead(MACH_MSG_SIZE_MAX)) + return IKM_NULL; + else if (max_expanded_size < IKM_SAVED_MSG_SIZE) + max_expanded_size = IKM_SAVED_MSG_SIZE; /* round up for ikm_cache */ if (max_expanded_size == IKM_SAVED_MSG_SIZE) { struct ikm_cache *cache; @@ -712,6 +713,9 @@ ipc_kmsg_get( if ((size < sizeof(mach_msg_header_t)) || (size & 3)) return MACH_SEND_MSG_TOO_SMALL; + if (size > MACH_MSG_SIZE_MAX - MAX_TRAILER_SIZE) + return MACH_SEND_TOO_LARGE; + msg_and_trailer_size = size + MAX_TRAILER_SIZE; kmsg = ipc_kmsg_alloc(msg_and_trailer_size); @@ -775,7 +779,7 @@ ipc_kmsg_get_from_kernel( ipc_port_t dest_port; assert(size >= sizeof(mach_msg_header_t)); - assert((size & 3) == 0); +// assert((size & 3) == 0); assert(IP_VALID((ipc_port_t) msg->msgh_remote_port)); dest_port = (ipc_port_t)msg->msgh_remote_port;