af_unix: increase QUEUE_ENTRY_SIZE to the true max formatted string size

A valid oversized v1-formatted event can be dropped by audisp-af_unix causing loss of events for applications consuming the AF_UNIX plugin socket.

It has specific conditions:

the plugin input is binary,
the incoming dispatcher event is protocol v1,
the AF_UNIX plugin output format is string,
and the record already was near MAX_AUDIT_MESSAGE_LENGTH.

This almost never happens.

Author: stevegrubb

audisp/plugins/af_unix/audisp-af_unix.c

@@ -70,7 +70,8 @@ static struct mallinfo2 last_mi;
 #endif
 
 #define DEFAULT_QUEUE_DEPTH 512
-#define QUEUE_ENTRY_SIZE MAX_AUDIT_EVENT_FRAME_SIZE+1
+#define V1_TEXT_PREFIX (32+12) // largest record type + formatting
+#define QUEUE_ENTRY_SIZE (MAX_AUDIT_EVENT_FRAME_SIZE+V1_TEXT_PREFIX+1)
 
 static size_t queue_depth = DEFAULT_QUEUE_DEPTH;
 static struct queue *queue;