ipc: Fix allocating kernel buffer for storing user message

Otherwise ipc_kmsg_copyin_body will overflow.
author: Samuel Thibault <samuel.thibault@ens-lyon.org> 2023-10-01 17:24:02 +0200
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> 2023-10-01 17:34:13 +0200
commit: 126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d (patch)
tree: 07be87498222a605dda3ea5e0ffe81d3e5b356b0 /ipc/ipc_kmsg.c
parent: 513125f30a05b4ad3408d5f4efd36d2c6ba10744 (diff)
download: gnumach-126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d.tar.gz
gnumach-126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d.tar.bz2
gnumach-126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d.zip
1 files changed, 4 insertions, 3 deletions
diff --git a/ipc/ipc_kmsg.c b/ipc/ipc_kmsg.c
index bd1b30da..105e54d4 100644
--- a/ipc/ipc_kmsg.c
+++ b/ipc/ipc_kmsg.c
@@ -489,19 +489,20 @@ ipc_kmsg_get(
 	ipc_kmsg_t 		*kmsgp)
 {
 	ipc_kmsg_t kmsg;
+	mach_msg_size_t 	ksize = size * IKM_EXPAND_FACTOR;
 
 	if ((size < sizeof(mach_msg_user_header_t)) || mach_msg_user_is_misaligned(size))
 		return MACH_SEND_MSG_TOO_SMALL;
 
-	if (size <= IKM_SAVED_MSG_SIZE) {
+	if (ksize <= IKM_SAVED_MSG_SIZE) {
 		kmsg = ikm_cache_alloc();
 		if (kmsg == IKM_NULL)
 			return MACH_SEND_NO_BUFFER;
 	} else {
-		kmsg = ikm_alloc(size);
+		kmsg = ikm_alloc(ksize);
 		if (kmsg == IKM_NULL)
 			return MACH_SEND_NO_BUFFER;
-		ikm_init(kmsg, size);
+		ikm_init(kmsg, ksize);
 	}
 
 	if (copyinmsg(msg, &kmsg->ikm_header, size)) {
author	Samuel Thibault <samuel.thibault@ens-lyon.org>	2023-10-01 17:24:02 +0200
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	2023-10-01 17:34:13 +0200
commit	126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d (patch)
tree	07be87498222a605dda3ea5e0ffe81d3e5b356b0 /ipc/ipc_kmsg.c
parent	513125f30a05b4ad3408d5f4efd36d2c6ba10744 (diff)
download	gnumach-126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d.tar.gz gnumach-126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d.tar.bz2 gnumach-126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d.zip