uio_resid may overflow when coerced to u_int, causing lptwrite() to
return early. Also, uiomovei() can be replaced with uiomove(), the size
argument is of type size_t anyway.
Index: dev/ic/lpt.c
===================================================================
RCS file: /cvs/src/sys/dev/ic/lpt.c,v
retrieving revision 1.13
diff -u -p -r1.13 lpt.c
--- dev/ic/lpt.c 10 Feb 2015 21:56:09 -0000 1.13
+++ dev/ic/lpt.c 9 Apr 2015 17:56:17 -0000
@@ -367,8 +367,8 @@ lptwrite(dev_t dev, struct uio *uio, int
size_t n;
int error = 0;
- while ((n = min(LPT_BSIZE, uio->uio_resid)) != 0) {
- error = uiomovei(sc->sc_cp = sc->sc_inbuf->b_data, n, uio);
+ while ((n = ulmin(LPT_BSIZE, uio->uio_resid)) != 0) {
+ error = uiomove(sc->sc_cp = sc->sc_inbuf->b_data, n, uio);
if (error != 0)
return error;
sc->sc_count = n;
cheers,
natano
