The following diff prevents integer truncation of uio_resid
by using ulmin() instead of min() and calls uiomove() instead
of the legacy uiomove().
That's straightforward because the m_len mbuf field is unsigned.
mlen can be turned to a size_t because it's set to MLEN or MCLBYTES,
which is > 0.
I plan to commit this in a few days unless there are objections.
Index: if_pppx.c
===================================================================
RCS file: /cvs/src/sys/net/if_pppx.c,v
retrieving revision 1.49
diff -u -p -r1.49 if_pppx.c
--- if_pppx.c 14 Jan 2016 09:20:31 -0000 1.49
+++ if_pppx.c 22 Jan 2016 18:23:04 -0000
@@ -273,7 +273,8 @@ pppxread(dev_t dev, struct uio *uio, int
struct pppx_dev *pxd = pppx_dev2pxd(dev);
struct mbuf *m, *m0;
int error = 0;
- int len, s;
+ int s;
+ size_t len;
if (!pxd)
return (ENXIO);
@@ -292,9 +293,9 @@ pppxread(dev_t dev, struct uio *uio, int
}
while (m0 != NULL && uio->uio_resid > 0 && error == 0) {
- len = min(uio->uio_resid, m0->m_len);
+ len = ulmin(uio->uio_resid, m0->m_len);
if (len != 0)
- error = uiomovei(mtod(m0, caddr_t), len, uio);
+ error = uiomove(mtod(m0, caddr_t), len, uio);
m = m_free(m0);
m0 = m;
}
@@ -313,8 +314,9 @@ pppxwrite(dev_t dev, struct uio *uio, in
uint32_t proto;
struct mbuf *top, **mp, *m;
struct niqueue *ifq;
- int tlen, mlen;
+ int tlen;
int error = 0;
+ size_t mlen;
#if NBPFILTER > 0
int s;
#endif
@@ -342,8 +344,8 @@ pppxwrite(dev_t dev, struct uio *uio, in
mp = ⊤
while (error == 0 && uio->uio_resid > 0) {
- m->m_len = min(mlen, uio->uio_resid);
- error = uiomovei(mtod (m, caddr_t), m->m_len, uio);
+ m->m_len = ulmin(mlen, uio->uio_resid);
+ error = uiomove(mtod (m, caddr_t), m->m_len, uio);
*mp = m;
mp = &m->m_next;
if (error == 0 && uio->uio_resid > 0) {
Index: if_tun.c
===================================================================
RCS file: /cvs/src/sys/net/if_tun.c,v
retrieving revision 1.165
diff -u -p -r1.165 if_tun.c
--- if_tun.c 7 Jan 2016 05:31:17 -0000 1.165
+++ if_tun.c 22 Jan 2016 18:23:05 -0000
@@ -764,7 +764,8 @@ tun_dev_read(struct tun_softc *tp, struc
struct ifnet *ifp = &tp->tun_if;
struct mbuf *m, *m0;
unsigned int ifidx;
- int error = 0, len, s;
+ int error = 0, s;
+ size_t len;
if ((tp->tun_flags & TUN_READY) != TUN_READY)
return (EHOSTDOWN);
@@ -825,9 +826,9 @@ tun_dev_read(struct tun_softc *tp, struc
}
while (m0 != NULL && uio->uio_resid > 0 && error == 0) {
- len = min(uio->uio_resid, m0->m_len);
+ len = ulmin(uio->uio_resid, m0->m_len);
if (len != 0)
- error = uiomovei(mtod(m0, caddr_t), len, uio);
+ error = uiomove(mtod(m0, caddr_t), len, uio);
m = m_free(m0);
m0 = m;
}
@@ -872,7 +873,8 @@ tun_dev_write(struct tun_softc *tp, stru
struct niqueue *ifq;
u_int32_t *th;
struct mbuf *top, **mp, *m;
- int error=0, tlen, mlen;
+ int error = 0, tlen;
+ size_t mlen;
#if NBPFILTER > 0
int s;
#endif
@@ -911,8 +913,8 @@ tun_dev_write(struct tun_softc *tp, stru
m->m_data += ETHER_ALIGN;
}
while (error == 0 && uio->uio_resid > 0) {
- m->m_len = min(mlen, uio->uio_resid);
- error = uiomovei(mtod (m, caddr_t), m->m_len, uio);
+ m->m_len = ulmin(mlen, uio->uio_resid);
+ error = uiomove(mtod (m, caddr_t), m->m_len, uio);
*mp = m;
mp = &m->m_next;
if (error == 0 && uio->uio_resid > 0) {
