Martin Natano wrote:
> Below the uiomove() conversion for kern/subr_log.c. msg_buf[rsx] are all
> of type long, but are always positive. This diff prevents truncation of
> uio_resid (and l) due to min() usage.
Makes sense.
ok?
> Index: kern/subr_log.c
> ===================================================================
> RCS file: /cvs/src/sys/kern/subr_log.c,v
> retrieving revision 1.36
> diff -u -p -u -r1.36 subr_log.c
> --- kern/subr_log.c 7 Jan 2016 12:27:07 -0000 1.36
> +++ kern/subr_log.c 9 Jan 2016 14:49:27 -0000
> @@ -180,7 +180,7 @@ int
> logread(dev_t dev, struct uio *uio, int flag)
> {
> struct msgbuf *mbp = msgbufp;
> - long l;
> + size_t l;
> int s;
> int error = 0;
>
> @@ -202,13 +202,14 @@ logread(dev_t dev, struct uio *uio, int
> logsoftc.sc_state &= ~LOG_RDWAIT;
>
> while (uio->uio_resid > 0) {
> - l = mbp->msg_bufx - mbp->msg_bufr;
> - if (l < 0)
> + if (mbp->msg_bufx >= mbp->msg_bufr)
> + l = mbp->msg_bufx - mbp->msg_bufr;
> + else
> l = mbp->msg_bufs - mbp->msg_bufr;
> - l = min(l, uio->uio_resid);
> + l = ulmin(l, uio->uio_resid);
> if (l == 0)
> break;
> - error = uiomovei(&mbp->msg_bufc[mbp->msg_bufr], (int)l, uio);
> + error = uiomove(&mbp->msg_bufc[mbp->msg_bufr], l, uio);
> if (error)
> break;
> mbp->msg_bufr += l;
>
> cheers,
> natano
>
