Below the uiomove() conversion for kern/subr_log.c. msg_buf[rsx] are all
of type long, but are always positive. This diff prevents truncation of
uio_resid (and l) due to min() usage.
Index: kern/subr_log.c
===================================================================
RCS file: /cvs/src/sys/kern/subr_log.c,v
retrieving revision 1.36
diff -u -p -u -r1.36 subr_log.c
--- kern/subr_log.c 7 Jan 2016 12:27:07 -0000 1.36
+++ kern/subr_log.c 9 Jan 2016 14:49:27 -0000
@@ -180,7 +180,7 @@ int
logread(dev_t dev, struct uio *uio, int flag)
{
struct msgbuf *mbp = msgbufp;
- long l;
+ size_t l;
int s;
int error = 0;
@@ -202,13 +202,14 @@ logread(dev_t dev, struct uio *uio, int
logsoftc.sc_state &= ~LOG_RDWAIT;
while (uio->uio_resid > 0) {
- l = mbp->msg_bufx - mbp->msg_bufr;
- if (l < 0)
+ if (mbp->msg_bufx >= mbp->msg_bufr)
+ l = mbp->msg_bufx - mbp->msg_bufr;
+ else
l = mbp->msg_bufs - mbp->msg_bufr;
- l = min(l, uio->uio_resid);
+ l = ulmin(l, uio->uio_resid);
if (l == 0)
break;
- error = uiomovei(&mbp->msg_bufc[mbp->msg_bufr], (int)l, uio);
+ error = uiomove(&mbp->msg_bufc[mbp->msg_bufr], l, uio);
if (error)
break;
mbp->msg_bufr += l;
cheers,
natano
