From 126c0364bf7d72d4f2ecf1ad2f4ebe1d2667940d Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 1 Oct 2023 17:24:02 +0200
Subject: ipc: Fix allocating kernel buffer for storing user message

Otherwise ipc_kmsg_copyin_body will overflow.
---
 ipc/mach_msg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ipc/mach_msg.c')

diff --git a/ipc/mach_msg.c b/ipc/mach_msg.c
index 482c85a5..fb6e6dfc 100644
--- a/ipc/mach_msg.c
+++ b/ipc/mach_msg.c
@@ -450,7 +450,7 @@ mach_msg_trap(
 		 *	We must clear ikm_cache before copyinmsg.
 		 */
 
-		if ((send_size > IKM_SAVED_MSG_SIZE) ||
+		if (((send_size * IKM_EXPAND_FACTOR) > IKM_SAVED_MSG_SIZE) ||
 		    (send_size < sizeof(mach_msg_user_header_t)) ||
 		    (send_size & 3))
 			goto slow_get;
-- 
cgit v1.2.3